Problem Description:
RubyGems does not check installation paths for gems before writing
files.
Impact:
Since RubyGems packages are typically installed using root
permissions, arbitrary files may be overwritten on-disk. This may
lead to denial of service, privilege escalation or remote compromise.
Workaround:
No known workarounds
Solution:
a) Upgrade to RubyGems 0.9.1
b) Apply one of the following patches
For RubyGems 0.9.0:
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
For RubyGems 0.8.11:
Note:
Remote installations via Rubyforge will be disabled in the near
future for versions of RubyGems earlier than 0.9.1, even for patched
versions of RubyGems. Local installations will continue to work,
however.
Thanks to Gavin Sinclair for finding and reporting this problem.
Testing your updated RubyGems:
Installing rspec-0.7.5 will give an InstallError on a patched version
of RubyGems:
$ gem install rspec --version 0.7.5
ERROR: While executing gem ... (Gem::InstallError)
attempt to install file into "../web_spec/
web_test_html_formatter.rb"
The rspec teams reports that an updated rspec will be released later
today or tomorrow.
--
Eric Hodel - drbrain-48TerJ1FxhPk1uMJSBkQmQ@public.gmane.org -
http://blog.segment7.net
I LIT YOUR GEM ON FIRE!