RubyFlow : The Ruby Community Blog

Home   Submit   Sign Up   Log In   leaders   Twitter   RSS Feed  
 

rubygems-pwn: A Vulnerability in RubyGems (currently being fixed)

Posted by PeterCooper on August 26, 2011 — 6 comments
If you've seen people saying to run gem install rubygems-pwn on Twitter (which I don't advise!), it's because it's a proof of concept for a vulnerabilty in RubyGems. The rubygems-pwn project on GitHub has more information about it, but essentially you can push arbitrary Ruby code into gemspec parameters which will then be executed later on. The vulnerability has been discussed in the rubygems repo where a fix has already been made but, hopefully, more general fixes should be made available soon. (If you want to see the direct example of a malicious gemspec, look here.)

Update: RubyGems 1.8.10 has been released to address this vulnerability.

Comments

Fix exists:
https://github.com/rubygems/rubygems/pull/165robgleeson - August 26, 2011 23:01
Thanks. I've clarified things a bit.PeterCooper - August 26, 2011 23:24
Glade to see this finally getting some much needed attention.

Three things that worry me, 1) RubyGems does not seem to have Security Response Guidelines in place for responding to vulnerabilities, 2) this was a trivial mistake that none of the RubyGems maintainers caught 3) this vulnerability has existed since the first release of RubyGems, we have all been vulnerable this entire time.

Also the rubygems-pwn PoC is harmless (just calls puts and the say command). Although, I wouldn't install it on a production server. ;)

Now, let's get everyone upgraded!postmodern - August 27, 2011 00:22
The problem there is a lot of people deliberately use old versions of RubyGems due to the... "changes" since around 1.7 onwards. I wonder if backported releases or patches will be made available.PeterCooper - August 27, 2011 01:23
@peterc Has the Ruby Security team sent an Advisory out yet? I can't find anything on ruby-lang.org or on Google.postmodern - August 29, 2011 19:38
SlimGems will be releasing a backport fix for this issue in the 1.3.x line, so if you use RubyGems pre 1.7, SlimGems is still an actively maintained branch.Loren Segal - September 07, 2011 18:01

Post a Comment

Comment abilities for non registered users are currently deactivated, pending time to add a proper CAPTCHA to solve the escalating spam problem. Sorry!