Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278566 - dev-ruby/rubygems: gem install overwrites arbitrary files in /usr/bin
Summary: dev-ruby/rubygems: gem install overwrites arbitrary files in /usr/bin
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://redmine.ruby-lang.org/issues/s...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-21 11:18 UTC by Alex Legler (RETIRED)
Modified: 2013-09-03 02:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Reproducer, overwrites /usr/bin/less (testgem-0.0.1.gem,3.00 KB, application/octet-stream)
2009-07-21 11:20 UTC, Alex Legler (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-21 11:18:51 UTC
If a gem includes an executable, gem install will merge them into /usr/bin/ without checking if the executable already exists, leading to arbitrary file overwriting.

I'll attach a reproducer.

References:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http%3A%2F%2Fwota.jp%2Fac%2F%3Fdate%3D20090604%23p01&sl=ja&tl=en&history_state0=
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-21 11:20:48 UTC
Created attachment 198688 [details]
Reproducer, overwrites /usr/bin/less

Reproduce with "sudo gem install testgem-0.0.1.gem"
Comment 2 Gordon Malm (RETIRED) gentoo-dev 2009-07-21 21:24:33 UTC
gem will also install executables and libraries world-writeable if they are distributed that way in the prepared gem. :p
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-07-30 11:27:58 UTC
This is a references loop since my post was actually inspired once Alex told me of the issue ^^
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-23 09:26:58 UTC
Still not fixed. We'll likely do this in Gentoo by not installing gem binaries to /usr/bin
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-03 16:14:02 UTC
1.3.7-r2 no longer installs in /usr/bin, feel free to consider closing this or releasing a GLSA.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 02:01:58 UTC
Fixed for several years. Closing noglsa.