On Jan 12, 2007, at 22:58, Paul Duncan wrote: > * Eric Hodel ([EMAIL PROTECTED]) wrote: >> I've checked in fixes for an installation exploit found by Gavin >> Sinclair. Here's a draft email describing the exploit and how to fix >> RubyGems. I only supplied patches for the past two versions of >> RubyGems, since tattle says that's what everybody uses. >> >> Subject: RubyGems 0.9.0 and earlier installation exploit >> >> Problem Description: >> >> RubyGems does not check installation paths for gems before writing >> files. > > The potential security problems with RubyGems are actually much worse > than that. Documentation and tests are executed as the user doing the > install (which, as you said, is usually root). That means I can embed > arbitrary Ruby code in either the documentation template and it will > usually be run as root. For example:
I don't think there's an easy way around this one. > Obviously the same thing can be done with unit tests. While > neither of > these are a bug with RubyGems per-se, they're both convenient > places to > hide sneak away code that will be run as root on a lot of machines at > install time. I think I'll pull the ability to run unit tests out of gem install for 0.9.2. The whole thing is various shades of broken anyhow and needs a revamp. -- Eric Hodel - [EMAIL PROTECTED] - http://blog.segment7.net I LIT YOUR GEM ON FIRE! _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
