Bug 163536 - dev-ruby/rubygems File Overwrite CVE-2007-0469
Bug#: 163536 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: keith@email.arizona.edu
Component: Vulnerabilities
URL:  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0469
Summary: dev-ruby/rubygems File Overwrite CVE-2007-0469
Keywords:  
Status Whiteboard: B4 [noglsa]
Opened: 2007-01-24 03:40 0000
Description:   Opened: 2007-01-24 03:40 0000 
The extract_files function in installer.rb in RubyGems before 0.9.1 does not
check whether files exist before overwriting them, which allows user-assisted
remote attackers to overwrite arbitrary files, cause a denial of service, or
execute arbitrary code via crafted GEM packages.

Reproducible: Didn't try




http://www.frsirt.com/english/advisories/2007/0295
http://rubyforge.org/frs/shownotes.php?release_id=9074

------- Comment #1 From Matthias Geerdsen 2007-01-24 19:04:19 0000 ------- 
ruby herd, please provide an updated ebuild (patches for 0.8.11 are available)

http://rubyforge.org/forum/forum.php?forum_id=11657

------- Comment #2 From Nguyen Thai Ngoc Duy (RETIRED) 2007-01-26 15:39:47 0000 ------- 
0.8.11-r6 is available. Arch teams please stablize it

------- Comment #3 From Markus Meier 2007-01-26 17:10:18 0000 ------- 
dev-ruby/rubygems-0.8.11-r6
1. emerges on x86, please note:
QA Notice: USE Flag 'examples' not in IUSE for dev-ruby/rubygems-0.8.11-r6
2. passes collision test
3. reverse-deps don't build here anymore (works with -r5):
>>> Install activesupport-1.3.1 into /var/tmp/portage/activesupport-1.3.1/image/ category dev-ruby
ERROR:  Error installing gem
/var/tmp/portage/activesupport-1.3.1/distdir/activesupport-1.3.1[.gem]: attempt
to install file into "CHANGELOG"
Attempting local installation of
'/var/tmp/portage/activesupport-1.3.1/distdir/activesupport-1.3.1'

!!! ERROR: dev-ruby/activesupport-1.3.1 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_install
  ebuild.sh, line 1020:   Called src_install
  ebuild.sh, line 1255:   Called gems_src_install
  gems.eclass, line 77:   Called die

!!! gem install failed (spec file
/var/tmp/portage/activesupport-1.3.1/image///usr/lib/ruby/gems/1.8/specifications/activesupport-1.3.1.gemspec
missing)

second test:
>>> Install rubyzip-0.5.12 into /var/tmp/portage/rubyzip-0.5.12/image/ category dev-ruby
ERROR:  Error installing gem
/var/tmp/portage/rubyzip-0.5.12/distdir/rubyzip-0.5.12[.gem]: attempt to
install file into "README"
Attempting local installation of
'/var/tmp/portage/rubyzip-0.5.12/distdir/rubyzip-0.5.12'

!!! ERROR: dev-ruby/rubyzip-0.5.12 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_install
  ebuild.sh, line 1020:   Called src_install
  ebuild.sh, line 1255:   Called gems_src_install
  gems.eclass, line 77:   Called die

!!! gem install failed (spec file
/var/tmp/portage/rubyzip-0.5.12/image///usr/lib/ruby/gems/1.8/specifications/rubyzip-0.5.12.gemspec
missing)


Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.19.2 i686)
=================================================================
System uname: 2.6.19.2 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Fri, 26 Jan 2007 16:31:02 +0000
ccache version 2.4 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom
cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds
elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm
gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog
java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH
linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly
ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline
reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd
test tetex theora threads truetype truetype-fonts type1-fonts udev unicode
userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis
win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

------- Comment #4 From Nguyen Thai Ngoc Duy (RETIRED) 2007-01-27 05:56:53 0000 ------- 
Please don't stable it now. The original patch doesn't work with gentoo
installation style.

------- Comment #5 From Matthias Geerdsen 2007-01-27 10:42:44 0000 ------- 
back to ebuild status... removing arches for now...

------- Comment #6 From Nguyen Thai Ngoc Duy (RETIRED) 2007-01-27 15:39:40 0000 ------- 
Things should go better this time. Markus can you test it again? Make sure
there is "27 Jan" entry in ChangeLog

------- Comment #7 From Matthias Geerdsen 2007-01-27 19:01:11 0000 ------- 
next try...

arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable

note comment #6

------- Comment #8 From Samuli Suominen 2007-02-02 23:57:31 0000 ------- 
> arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable

forgot to CC arches?

------- Comment #9 From Raphael Marichez 2007-02-10 20:54:46 0000 ------- 
(In reply to comment #8)
> > arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable
> 
> forgot to CC arches?
> 

LOL yes :)

Sorry for the delay due to a security team DoS

------- Comment #10 From Christian Faulhammer 2007-02-11 10:35:40 0000 ------- 
x86 stable

------- Comment #11 From Tobias Scherbaum 2007-02-11 11:06:11 0000 ------- 
ppc stable

------- Comment #12 From Jason Wever (RETIRED) 2007-02-12 05:10:44 0000 ------- 
SPARC stable

------- Comment #13 From Marcus D. Hanwell 2007-02-13 01:58:19 0000 ------- 
Stable on amd64.

------- Comment #14 From Markus Rothe 2007-02-13 10:04:34 0000 ------- 
ppc64 stable

------- Comment #15 From Raphael Marichez 2007-02-13 10:31:57 0000 ------- 
Thanks arches,


i tend to vote No since it's a hard-to-perform arbitrary file overwrite, only
during the execution of installer.rb...

------- Comment #16 From Tavis Ormandy (RETIRED) 2007-02-13 11:15:22 0000 ------- 
I agree with Falco, also NO.

------- Comment #17 From Bryan Østergaard (RETIRED) 2007-02-14 16:08:21 0000 ------- 
IA64 done.

------- Comment #18 From Matthias Geerdsen 2007-02-22 20:37:51 0000 ------- 
tending to vote no too, closing