RubyGems 0.9.0 and earlier installation exploit



Background:

RubyGems is the typical packaging tool for ruby packages.

RubyGems home page:

http://rubygems.org/

Ruby home page:

http://ruby-lang.org

Problem Description:

RubyGems does not check installation paths for gems before writing files.

Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply one of the following patches

For RubyGems 0.9.0:


Attachment: installer.rb.extract_files.REL_0_9_0.patch
Description: Binary data


For RubyGems 0.8.11:


Attachment: installer.rb.extract_files.REL_0_8_11.patch
Description: Binary data


MD5 (installer.rb.extract_files.REL_0_8_11.patch) = 31e3bacd1821de0272864c153b7c0dca
MD5 (installer.rb.extract_files.REL_0_9_0.patch) = bed4fcdd438a7d8b81cf72e1ffe48a7d

Patches may also be downloaded here:

http://rubyforge.org/frs/shownotes.php?group_id=126&release_id=9074

Note:

Remote installations via Rubyforge will be disabled in the near future for versions of RubyGems earlier than 0.9.1, even for patched versions of RubyGems. Local installations will continue to work, however.

Thanks to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

Installing rspec-0.7.5 will give an InstallError on a patched version of RubyGems:

$ gem install rspec --version 0.7.5
ERROR: While executing gem ... (Gem::InstallError)
attempt to install file into "../web_spec/ web_test_html_formatter.rb"

An updated rspec (0.7.5.1) has already been released.

--
Eric Hodel - drbrain@xxxxxxxxxxxx - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



Relevant Pages

  • [Full-disclosure] RubyGems 0.9.0 and earlier installation exploit
    ... RubyGems is the typical packaging tool for ruby packages. ... Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. ... Remote installations via Rubyforge will be disabled in the near future for versions of RubyGems earlier than 0.9.1, even for patched versions of RubyGems. ... ERROR: While executing gem ... ...
    (Full-Disclosure)
  • Re: on ubuntu, ruby cant find the gems
    ... Phlip wrote: ... "require 'rubygems'" works; rubygems of course was not installed by gem, ... The stuff my ruby can't find are the packages that were installed by ...
    (comp.lang.ruby)
  • [ANN] rubygems 1.7.1
    ... RubyGems is a package management framework for Ruby. ... See Gem for information on RubyGems ... You're sure you've found a bug! ... 16 Deprecations ...
    (comp.lang.ruby)
  • [ANN] RubyGems 1.7.0
    ... RubyGems is a package management framework for Ruby. ... See Gem for information on RubyGems ... You're sure you've found a bug! ... 16 Deprecations ...
    (comp.lang.ruby)
  • [ANN] RubyGems 1.1.0
    ... RubyGems now uses persistent connections on index updates. ... `gem spec` now extracts specifications from .gem files. ... Executable stubs now use ruby install name in shebang. ...
    (comp.lang.ruby)