Skip to content
This repository

Fixed a code-injection in Gem::Specification#ruby_code. #165

wants to merge 1 commit into from

3 participants

Postmodern Dustin Webber Eric Hodel
Dustin Webber

@postmodern confirmed. Bump++


@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

Eric Hodel

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

Eric Hodel drbrain closed this August 25, 2011

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

Eric Hodel

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Aug 24, 2011
Postmodern Fixed a code-injection in Gem::Specification#ruby_code.
* Explaination and Proof of Concept (PoC) exploit against this
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 2 additions and 2 deletions. Show diff stats Hide diff stats

  1. 4  lib/rubygems/specification.rb
4  lib/rubygems/specification.rb
@@ -1914,10 +1914,10 @@ def ri_dir
1914 1914
1915 1915
   def ruby_code(obj)
1916 1916
     case obj
-    when String            then '%q{' + obj + '}'
+    when String            then obj.inspect
1918 1918
     when Array             then '[' + { |x| ruby_code x }.join(", ") + ']'
1919 1919
     when Hash              then
-      seg = { |k| "%q{#{k}} => %q{#{obj[k]}}" }
+      seg = { |k| "#{ruby_code k} => #{ruby_code obj[k]}" }
1921 1921
       "{ #{seg.join(', ')} }"
1922 1922
     when Gem::Version      then obj.to_s.inspect
1923 1923
     when Date              then '%q{' + obj.strftime('%Y-%m-%d') + '}'

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.