Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Jul 2009 22:04:08 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- RubyGems

Hi,

first a little note: I have talked to some people in the Ruby community
and the issue is quite disputed. There is no upstream reaction that I
know of. But since CVE-2007-0469 was assigned to a similar issue, I
think this issue is valid, too.

On Di, 2009-07-21 at 20:57 +0200, Jan Lieskovsky wrote:
> A remote attacker
> could provide a specially-crafted Gem (POSIX tar)
> archive, 

Please note that .gem files are not neccesarily tarballs, there is at
least a proprietary base64-based format around and I've heard about
cpio.

> which once opened by an unsuspecting
> user, would overwrite relevant system file.

The user in this context has to be a privileged user. gem will use
~/.gem/bin if the system-wide gem binary directory is not writeable.

Alex

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.