If a gem includes an executable, gem install will merge them into /usr/bin/ without checking if the executable already exists, leading to arbitrary file overwriting.
I'll attach a reproducer.
Created attachment 198688 [details]
Reproducer, overwrites /usr/bin/less
Reproduce with "sudo gem install testgem-0.0.1.gem"
gem will also install executables and libraries world-writeable if they are distributed that way in the prepared gem. :p
3 more links (all to or from Flameeyes):
This is a references loop since my post was actually inspired once Alex told me of the issue ^^
Still not fixed. We'll likely do this in Gentoo by not installing gem binaries to /usr/bin
1.3.7-r2 no longer installs in /usr/bin, feel free to consider closing this or releasing a GLSA.
Fixed for several years. Closing noglsa.