Date: Tue, 21 Jul 2009 22:04:08 +0200 From: Alex Legler <a3li@...too.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request -- RubyGems Hi, first a little note: I have talked to some people in the Ruby community and the issue is quite disputed. There is no upstream reaction that I know of. But since CVE-2007-0469 was assigned to a similar issue, I think this issue is valid, too. On Di, 2009-07-21 at 20:57 +0200, Jan Lieskovsky wrote: > A remote attacker > could provide a specially-crafted Gem (POSIX tar) > archive, Please note that .gem files are not neccesarily tarballs, there is at least a proprietary base64-based format around and I've heard about cpio. > which once opened by an unsuspecting > user, would overwrite relevant system file. The user in this context has to be a privileged user. gem will use ~/.gem/bin if the system-wide gem binary directory is not writeable. Alex Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.