The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. Reproducible: Didn't try http://www.frsirt.com/english/advisories/2007/0295 http://rubyforge.org/frs/shownotes.php?release_id=9074
ruby herd, please provide an updated ebuild (patches for 0.8.11 are available) http://rubyforge.org/forum/forum.php?forum_id=11657
0.8.11-r6 is available. Arch teams please stablize it
dev-ruby/rubygems-0.8.11-r6 1. emerges on x86, please note: QA Notice: USE Flag 'examples' not in IUSE for dev-ruby/rubygems-0.8.11-r6 2. passes collision test 3. reverse-deps don't build here anymore (works with -r5): >>> Install activesupport-1.3.1 into /var/tmp/portage/activesupport-1.3.1/image/ category dev-ruby ERROR: Error installing gem /var/tmp/portage/activesupport-1.3.1/distdir/activesupport-1.3.1[.gem]: attempt to install file into "CHANGELOG" Attempting local installation of '/var/tmp/portage/activesupport-1.3.1/distdir/activesupport-1.3.1' !!! ERROR: dev-ruby/activesupport-1.3.1 failed. Call stack: ebuild.sh, line 1546: Called dyn_install ebuild.sh, line 1020: Called src_install ebuild.sh, line 1255: Called gems_src_install gems.eclass, line 77: Called die !!! gem install failed (spec file /var/tmp/portage/activesupport-1.3.1/image///usr/lib/ruby/gems/1.8/specifications/activesupport-1.3.1.gemspec missing) second test: >>> Install rubyzip-0.5.12 into /var/tmp/portage/rubyzip-0.5.12/image/ category dev-ruby ERROR: Error installing gem /var/tmp/portage/rubyzip-0.5.12/distdir/rubyzip-0.5.12[.gem]: attempt to install file into "README" Attempting local installation of '/var/tmp/portage/rubyzip-0.5.12/distdir/rubyzip-0.5.12' !!! ERROR: dev-ruby/rubyzip-0.5.12 failed. Call stack: ebuild.sh, line 1546: Called dyn_install ebuild.sh, line 1020: Called src_install ebuild.sh, line 1255: Called gems_src_install gems.eclass, line 77: Called die !!! gem install failed (spec file /var/tmp/portage/rubyzip-0.5.12/image///usr/lib/ruby/gems/1.8/specifications/rubyzip-0.5.12.gemspec missing) Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19.2 i686) ================================================================= System uname: 2.6.19.2 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Fri, 26 Jan 2007 16:31:02 +0000 ccache version 2.4 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Please don't stable it now. The original patch doesn't work with gentoo installation style.
back to ebuild status... removing arches for now...
Things should go better this time. Markus can you test it again? Make sure there is "27 Jan" entry in ChangeLog
next try... arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable note comment #6
> arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable forgot to CC arches?
(In reply to comment #8) > > arches, please test dev-ruby/rubygems-0.8.11-r6 and mark stable > > forgot to CC arches? > LOL yes :) Sorry for the delay due to a security team DoS
x86 stable
ppc stable
SPARC stable
Stable on amd64.
ppc64 stable
Thanks arches, i tend to vote No since it's a hard-to-perform arbitrary file overwrite, only during the execution of installer.rb...
I agree with Falco, also NO.
IA64 done.
tending to vote no too, closing
