oss-sec mailing list archives

Re: CVE Request -- RubyGems


From: Alex Legler <a3li () gentoo org>
Date: Tue, 21 Jul 2009 22:04:08 +0200

Hi,

first a little note: I have talked to some people in the Ruby community
and the issue is quite disputed. There is no upstream reaction that I
know of. But since CVE-2007-0469 was assigned to a similar issue, I
think this issue is valid, too.

On Di, 2009-07-21 at 20:57 +0200, Jan Lieskovsky wrote:
A remote attacker
could provide a specially-crafted Gem (POSIX tar)
archive, 

Please note that .gem files are not neccesarily tarballs, there is at
least a proprietary base64-based format around and I've heard about
cpio.

which once opened by an unsuspecting
user, would overwrite relevant system file.

The user in this context has to be a privileged user. gem will use
~/.gem/bin if the system-wide gem binary directory is not writeable.

Alex

Attachment: signature.asc
Description: This is a digitally signed message part


Current thread: