If a gem includes an executable, gem install will merge them into /usr/bin/ without checking if the executable already exists, leading to arbitrary file overwriting. I'll attach a reproducer. References: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472 http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http%3A%2F%2Fwota.jp%2Fac%2F%3Fdate%3D20090604%23p01&sl=ja&tl=en&history_state0=
Created attachment 198688 [details] Reproducer, overwrites /usr/bin/less Reproduce with "sudo gem install testgem-0.0.1.gem"
gem will also install executables and libraries world-writeable if they are distributed that way in the prepared gem. :p
3 more links (all to or from Flameeyes): http://blog.flameeyes.eu/2009/07/21/again-i-don-t-like-rubygems-and-here-s-why http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0469 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480250
This is a references loop since my post was actually inspired once Alex told me of the issue ^^
Still not fixed. We'll likely do this in Gentoo by not installing gem binaries to /usr/bin
1.3.7-r2 no longer installs in /usr/bin, feel free to consider closing this or releasing a GLSA.
Fixed for several years. Closing noglsa.