Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Fixed a code-injection in Gem::Specification#ruby_code. #165

wants to merge 1 commit into from

3 participants

Postmodern Dustin Webber Eric Hodel
Dustin Webber

@postmodern confirmed. Bump++


@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

Eric Hodel

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

Eric Hodel drbrain closed this

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

Eric Hodel

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

Joerg Sonnenberger jsonn referenced this pull request from a commit in jsonn/pkgsrc
taca Update rubygems package to 1.8.10.
=== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded.  See
rubygems/rubygems#165 for details.

* 5 bug fixes:

  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
    and %q to prevent code injection.  Issue #165 by Postmodern
  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
    problem with Issue #115
  * Fixed Syck DefaultKey infecting ruby-format specifications.
  * `gem uninstall a b` no longer stops if gem "a" is not installed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 25, 2011
  1. Postmodern

    Fixed a code-injection in Gem::Specification#ruby_code.

    postmodern authored
    * Explaination and Proof of Concept (PoC) exploit against this
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/rubygems/specification.rb
4 lib/rubygems/specification.rb
@@ -1914,10 +1914,10 @@ def ri_dir
def ruby_code(obj)
case obj
- when String then '%q{' + obj + '}'
+ when String then obj.inspect
when Array then '[' + { |x| ruby_code x }.join(", ") + ']'
when Hash then
- seg = { |k| "%q{#{k}} => %q{#{obj[k]}}" }
+ seg = { |k| "#{ruby_code k} => #{ruby_code obj[k]}" }
"{ #{seg.join(', ')} }"
when Gem::Version then obj.to_s.inspect
when Date then '%q{' + obj.strftime('%Y-%m-%d') + '}'
Something went wrong with that request. Please try again.