Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed a code-injection in Gem::Specification#ruby_code. #165

Closed
wants to merge 1 commit into from

3 participants

@postmodern
@mephux

@postmodern confirmed. Bump++

@postmodern

@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

@drbrain
Owner

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

@drbrain drbrain closed this
@postmodern

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

@drbrain
Owner

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

@jsonn jsonn referenced this pull request from a commit in jsonn/pkgsrc
taca Update rubygems package to 1.8.10.
=== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded.  See
rubygems/rubygems#165 for details.

* 5 bug fixes:

  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
    and %q to prevent code injection.  Issue #165 by Postmodern
  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
    psych.
  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
    problem with Issue #115
  * Fixed Syck DefaultKey infecting ruby-format specifications.
  * `gem uninstall a b` no longer stops if gem "a" is not installed.
9033f90
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 25, 2011
  1. @postmodern

    Fixed a code-injection in Gem::Specification#ruby_code.

    postmodern authored
    * Explaination and Proof of Concept (PoC) exploit against this
      vulnerability:
      * https://github.com/sophsec/rubygems-pwn
      * https://rubygems.org/gems/rubygems-pwn
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/rubygems/specification.rb
View
4 lib/rubygems/specification.rb
@@ -1914,10 +1914,10 @@ def ri_dir
def ruby_code(obj)
case obj
- when String then '%q{' + obj + '}'
+ when String then obj.inspect
when Array then '[' + obj.map { |x| ruby_code x }.join(", ") + ']'
when Hash then
- seg = obj.keys.sort.map { |k| "%q{#{k}} => %q{#{obj[k]}}" }
+ seg = obj.keys.sort.map { |k| "#{ruby_code k} => #{ruby_code obj[k]}" }
"{ #{seg.join(', ')} }"
when Gem::Version then obj.to_s.inspect
when Date then '%q{' + obj.strftime('%Y-%m-%d') + '}'
Something went wrong with that request. Please try again.