[DRE-maint] Bug#540610: rubygems: integrity violation
Daigo Moriwaki
daigo at debian.org
Sun Aug 9 06:34:18 UTC 2009
Hello Michael,
Michael S. Gilbert wrote:
> package: rubygems1.9
> version: 1.3.1
> tags: security
> severity: serious
>
> hello, it has been disclosed thet a specially crafted gem archive could
> be used to overwrite system files. confirmed for 1.3.x, but older
> versions may also be affected. please check and help the security
> team prepare updates for the stable releases. see:
>
> http://bugs.gentoo.org/show_bug.cgi?id=278566
> http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
> http://redmine.ruby-lang.org/issues/show/1800
Thank you for the references. I have just read them.
In Debian, executables from gems install into a particular directory specific to
RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory
/usr/bin. There should be no risk that they talked about.
If you think of any problems in Debian, please let me know; otherwise, please
close this ticket.
Regards,
Daigo
--
Daigo Moriwaki
daigo at debian dot org
More information about the Pkg-ruby-extras-maintainers
mailing list