lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 21 Jan 2007 01:16:48 -0800
From: Eric Hodel <drbrain@...ment7.net>
To: bugtraq@...urityfocus.com
Subject: RubyGems 0.9.0 and earlier installation exploit

Background:

RubyGems is the typical packaging tool for ruby packages.

RubyGems home page:

http://rubygems.org/

Ruby home page:

http://ruby-lang.org

Problem Description:

RubyGems does not check installation paths for gems before writing  
files.

Impact:

Since RubyGems packages are typically installed using root  
permissions, arbitrary files may be overwritten on-disk.  This may  
lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply one of the following patches

For RubyGems 0.9.0:



Download attachment "installer.rb.extract_files.REL_0_9_0.patch" of type "application/octet-stream" (1234 bytes)


For RubyGems 0.8.11:



Download attachment "installer.rb.extract_files.REL_0_8_11.patch" of type "application/octet-stream" (1397 bytes)


MD5 (installer.rb.extract_files.REL_0_8_11.patch) =  
31e3bacd1821de0272864c153b7c0dca
MD5 (installer.rb.extract_files.REL_0_9_0.patch) =  
bed4fcdd438a7d8b81cf72e1ffe48a7d

Patches may also be downloaded here:

http://rubyforge.org/frs/shownotes.php?group_id=126&release_id=9074

Note:

Remote installations via Rubyforge will be disabled in the near  
future for versions of RubyGems earlier than 0.9.1, even for patched  
versions of RubyGems.  Local installations will continue to work,  
however.

Thanks to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

Installing rspec-0.7.5 will give an InstallError on a patched version  
of RubyGems:

$ gem install rspec --version 0.7.5
ERROR:  While executing gem ... (Gem::InstallError)
     attempt to install file into "../web_spec/ 
web_test_html_formatter.rb"

An updated rspec (0.7.5.1) has already been released.

-- 
Eric Hodel - drbrain@...ment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!


Powered by blists - more mailing lists