Skip to content


Fixed a code-injection in Gem::Specification#ruby_code. #165

wants to merge 1 commit into from

3 participants


@postmodern confirmed. Bump++


@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

RubyGems member

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

@drbrain drbrain closed this

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

RubyGems member

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

@jsonn jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request
taca Update rubygems package to 1.8.10.
=== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded.  See
rubygems/rubygems#165 for details.

* 5 bug fixes:

  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
    and %q to prevent code injection.  Issue #165 by Postmodern
  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
    problem with Issue #115
  * Fixed Syck DefaultKey infecting ruby-format specifications.
  * `gem uninstall a b` no longer stops if gem "a" is not installed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 25, 2011
  1. @postmodern

    Fixed a code-injection in Gem::Specification#ruby_code.

    postmodern committed
    * Explaination and Proof of Concept (PoC) exploit against this
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/rubygems/specification.rb
4 lib/rubygems/specification.rb
@@ -1914,10 +1914,10 @@ def ri_dir
def ruby_code(obj)
case obj
- when String then '%q{' + obj + '}'
+ when String then obj.inspect
when Array then '[' + { |x| ruby_code x }.join(", ") + ']'
when Hash then
- seg = { |k| "%q{#{k}} => %q{#{obj[k]}}" }
+ seg = { |k| "#{ruby_code k} => #{ruby_code obj[k]}" }
"{ #{seg.join(', ')} }"
when Gem::Version then obj.to_s.inspect
when Date then '%q{' + obj.strftime('%Y-%m-%d') + '}'
Something went wrong with that request. Please try again.