Gem pushing is vulnerable. #93

blambeau opened this Issue Jan 31, 2013 · 3 comments


None yet

2 participants


For the same reasons than, Geminabox is vulnerable because rubygems is vulnerable in in the first place.

I haven't see anything moving here. This is a kind reminder.

tomlea commented Feb 1, 2013

As best as I can tell, this is the same old YAML allocating arbitrary ruby objects class of exploit? If so, the fix is tricky without breaking things.

At this point, I'm not going to panic. Here's why:

  • This software is not designed to run on public infrastructure, so I'm less concerned than I would be on a public facing app.
  • We're running a fairly small get of gems, with no autoloading of missing constants. This gives a much smaller target area, for exploitation, and the now standard ActionController::Routing::RouteSet::NamedRouteCollection path to actual evaluation is not open (we don't run on Rails).

My plan for right now is to stay calm, carry on, then watch for what do.

You never know, but the whole "let's keep things in YAML" part of RubyGems may have to die, opening up a whole new world of magic and wonderment and endless updating 😀

What I'm actually expecting, is a fix in rubygems, that closes the hole. As geminabox offloads most of the interesting work to rubygems (it actually does exactly 0 work with YAML apart from passing them around uninspected), the fix will be "Upgrade rubygems", and I'll probably end up setting it up as a minimal requirement for running the app.

That said, if anyone can find a path through, and get a patch out, please do let me know.

blambeau commented Feb 1, 2013

I think you're right here. It was just in case.

What I'm actually expecting, is a fix in rubygems, that closes the hole.

So glad to hear clear thinking in here 👍

tomlea commented Feb 1, 2013

Cool Beanz!

@blambeau blambeau closed this Oct 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment