Skip to content

Fixed a code-injection in Gem::Specification#ruby_code. #165

Closed
wants to merge 1 commit into from

3 participants

@postmodern
@mephux
mephux commented Aug 25, 2011

@postmodern confirmed. Bump++

@postmodern

@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

@drbrain
RubyGems member
drbrain commented Aug 26, 2011

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

@drbrain drbrain closed this Aug 26, 2011
@postmodern

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

@drbrain
RubyGems member
drbrain commented Aug 26, 2011

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

@jsonn jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Oct 11, 2014
taca Update rubygems package to 1.8.10.
=== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded.  See
rubygems/rubygems#165 for details.

* 5 bug fixes:

  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
    and %q to prevent code injection.  Issue #165 by Postmodern
  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
    psych.
  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
    problem with Issue #115
  * Fixed Syck DefaultKey infecting ruby-format specifications.
  * `gem uninstall a b` no longer stops if gem "a" is not installed.
9033f90
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.