Fixed a code-injection in Gem::Specification#ruby_code. #165

wants to merge 1 commit into


None yet

3 participants

mephux commented Aug 25, 2011

@postmodern confirmed. Bump++


@zenspider, @raggi, @evanphx, @sandal Can I get some extra eyes on this vulnerability and patch?

drbrain commented Aug 26, 2011

I couldn't use this patch.

It contained no tests and obviously the tests weren't run when it was committed.

It introduced a possible SystemStackError.

It allowed the dumped Hash to contain non-String keys and values.

@drbrain drbrain closed this Aug 26, 2011

@drbrain Thanks for fixing this. Next time could you just --amend my patch?

Confirmed this patch fixes the vulnerability:

  s.summary = "A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems}; require('base64');eval(Base64.decode64(\"YmVlcCA9IGxhbWJkYSB7IHxtfCBwdXRzICJcYSN7bX0iIH0Kc2F5X3B1dHMg\\nPSBsYW1iZGEgeyB8bXwgYmVlcFttXTsgc3lzdGVtKCdzYXknLG0pIH0Kc2F5\\nX3B1dHNbIkdlZW50bGVtZW4uIl0Kc2F5X3B1dHNbIkFsbCB2ZXJzaW9ucyBv\\nZiBSdWJ5LUdlbXMgYXJlIHZ1bG5lcmFibGUgdG8gcGVyc2lzdGVudCBjb2Rl\\nIGluamVjdGlvbiB2aWEgdGhlIGdlbSBzcGVjcyB0aGF0IGFyZSByZS1nZW5l\\ncmF0ZWQgd2hlbiB5b3UgaW5zdGFsbCBhIEdlbS4iXQoKYmVlcFsiKiBodHRw\\nczovL2dpdGh1Yi5jb20vcnVieWdlbXMvcnVieWdlbXMvcHVsbC8xNjUiXQo=\\n\")) #"

Will you be publishing a Security Advisory, so the Linux distributions can backport the patch or upgrade to 1.8.10?

drbrain commented Aug 26, 2011

For just one line it wasn't worth the effort of --amend. For a larger patch I certainly will.

I don't know anything about Security Advisories, but I will consult with Aaron.

@jsonn jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Oct 11, 2014
taca Update rubygems package to 1.8.10.
=== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded.  See
rubygems/rubygems#165 for details.

* 5 bug fixes:

  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
    and %q to prevent code injection.  Issue #165 by Postmodern
  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
    problem with Issue #115
  * Fixed Syck DefaultKey infecting ruby-format specifications.
  * `gem uninstall a b` no longer stops if gem "a" is not installed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment