On 1/12/07, Eric Hodel <[EMAIL PROTECTED]> wrote: > On Jan 12, 2007, at 11:17, Eric Hodel wrote: > > On Jan 12, 2007, at 10:59, Eric Hodel wrote: > > > >> I've checked in fixes for an installation exploit found by Gavin > >> Sinclair. Here's a draft email describing the exploit and how to > >> fix RubyGems. I only supplied patches for the past two versions of > >> RubyGems, since tattle says that's what everybody uses. > >> > >> b) Apply the following patch > >> > >> For RubyGems 0.9.0: > >> > >> <installer.rb.extract_files.REL_0_9_0.patch> > >> > >> For RubyGems 0.8.11: > >> > >> <installer.rb.extract_files.REL_0_8_11.patch> > > > > Note: I didn't test either of these patches. the 0.9.0 patch applied > > cleanly with offset. The 0.8.11 I had to do by hand. > > > > If anybody still has a 0.8.11, please test this patch. > > Evan Phoenix reported my patch was bogus. This patch should apply > correctly: > >
This works for me (I downgraded to 0.8.11 to try it). Though if you're on 0.8.11, you're going to have trouble with spec attributes that don't work anyway. Probably a good time to just tell people to upgrade and give them a window after which we shut them down. Chad _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
