Skip to content
This repository

Fixed a code-injection in Gem::Specification#ruby_code. #165

Closed
wants to merge 1 commit into from

3 participants

Postmodern Dustin Webber Eric Hodel
Postmodern
Dustin Webber

@postmodern confirmed. Bump++

Postmodern

@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

Eric Hodel
Owner

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

Eric Hodel drbrain closed this August 25, 2011
Postmodern

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

Eric Hodel
Owner

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Aug 24, 2011
Postmodern Fixed a code-injection in Gem::Specification#ruby_code.
* Explaination and Proof of Concept (PoC) exploit against this
  vulnerability:
  * https://github.com/sophsec/rubygems-pwn
  * https://rubygems.org/gems/rubygems-pwn
6ff4e0e
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 2 additions and 2 deletions. Show diff stats Hide diff stats

  1. 4  lib/rubygems/specification.rb
4  lib/rubygems/specification.rb
@@ -1914,10 +1914,10 @@ def ri_dir
1914 1914
 
1915 1915
   def ruby_code(obj)
1916 1916
     case obj
1917  
-    when String            then '%q{' + obj + '}'
  1917
+    when String            then obj.inspect
1918 1918
     when Array             then '[' + obj.map { |x| ruby_code x }.join(", ") + ']'
1919 1919
     when Hash              then
1920  
-      seg = obj.keys.sort.map { |k| "%q{#{k}} => %q{#{obj[k]}}" }
  1920
+      seg = obj.keys.sort.map { |k| "#{ruby_code k} => #{ruby_code obj[k]}" }
1921 1921
       "{ #{seg.join(', ')} }"
1922 1922
     when Gem::Version      then obj.to_s.inspect
1923 1923
     when Date              then '%q{' + obj.strftime('%Y-%m-%d') + '}'
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.