[DRE-maint] Bug#540610: rubygems: integrity violation
Michael S. Gilbert
michael.s.gilbert at gmail.com
Sun Aug 9 06:39:57 UTC 2009
On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:
> Hello Michael,
>
> Michael S. Gilbert wrote:
> > package: rubygems1.9
> > version: 1.3.1
> > tags: security
> > severity: serious
> >
> > hello, it has been disclosed thet a specially crafted gem archive could
> > be used to overwrite system files. confirmed for 1.3.x, but older
> > versions may also be affected. please check and help the security
> > team prepare updates for the stable releases. see:
> >
> > http://bugs.gentoo.org/show_bug.cgi?id=278566
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
> > http://redmine.ruby-lang.org/issues/show/1800
>
> Thank you for the references. I have just read them.
>
> In Debian, executables from gems install into a particular directory specific to
> RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory
> /usr/bin. There should be no risk that they talked about.
>
> If you think of any problems in Debian, please let me know; otherwise, please
> close this ticket.
what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
i've never used rubygems before, so i'm not sure how paths are
configured. would this override the system 'ls'?
mike
More information about the Pkg-ruby-extras-maintainers
mailing list