Is slimgems vulnerable to the issue that rubygems-pwn exploits?

[practicingruby]

Not sure if the issue listed below affects slimgems, but if it does, please fix and cut a security release:

http://www.rubyflow.com/items/6419-rubygems-pwn-a-vulnerability-in-rubygems-currently-being-fixe

[lsegal]

Thanks. We'll have to check. If it is, we will certainly fix.

I just want to point out, however, that "remote execution" is very easy to achieve even without a vulnerability, so the actual practicality of such an exploit isn't inordinately higher than the regular way of performing arbitrary commands, which is extremely possible and easy to do in a gem install. Basically, this is no different than having someone gem install a gem with native extensions, since that already executes/evaluates an extconf.rb or Makefile, both of which can easily allow arbitrary execution. So while we certainly want to limit where people can execute code, this vuln. doesn't actually expose a new attack vector.

Again, that's not to say we aren't prioritizing a fix. Just trying to clarify the issue and minimize any undue panic.

[practicingruby]

Yeah, while I didn't dig into the details, that's roughly what I thought on a first read. That said, it's likely that some folks either have policies about not using gems with extensions, or scrutinize them more carefully on audit, and may not be expecting the issue to show up from this angle.

The main reason I mention it is because the person who reported the vulnerability claimed it affects all RubyGems versions, and a fix has already been applied and released for RubyGems itself. I think the fix was simple, so it should be easy to apply.

[lsegal]

Yep. Again, I'll apply the patch ASAP. The comment was directed at any onlookers worried about their security. Thanks for the heads up, Greg!

[practicingruby]

Thanks for the quick response. I'll try to report other things if I notice them, though I'm only really lightly involved in RubyGems at the moment.