| Summary: | dev-ruby/rubygems: gem install overwrites arbitrary files in /usr/bin | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | kfm, m.debruijne, ruby | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://redmine.ruby-lang.org/issues/show/1800 | ||||||
| Whiteboard: | B3 [noglsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
|
Description
Alex Legler (RETIRED)
2009-07-21 11:18:51 UTC
Created attachment 198688 [details]
Reproducer, overwrites /usr/bin/less
Reproduce with "sudo gem install testgem-0.0.1.gem"
gem will also install executables and libraries world-writeable if they are distributed that way in the prepared gem. :p 3 more links (all to or from Flameeyes): http://blog.flameeyes.eu/2009/07/21/again-i-don-t-like-rubygems-and-here-s-why http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0469 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480250 This is a references loop since my post was actually inspired once Alex told me of the issue ^^ Still not fixed. We'll likely do this in Gentoo by not installing gem binaries to /usr/bin 1.3.7-r2 no longer installs in /usr/bin, feel free to consider closing this or releasing a GLSA. Fixed for several years. Closing noglsa. |