RubyGems 0.9.0 and earlier installation exploit

Eric_Hodel · January 16, 2007, 10:16pm

Problem Description:

RubyGems does not check installation paths for gems before writing files.

Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply one of the following patches

For RubyGems 0.9.0:

installer.rb.extract_files.REL_0_9_0.patch (1.21 KB)

installer.rb.extract_files.REL_0_8_11.patch (1.36 KB)

Topic		Replies	Views
RubyGems 0.9.1 rubyonrails-talk announcement	5	150	January 17, 2007
rubgems in user directory - HELP! rubyonrails-talk	4	103	February 5, 2007
installing ruby gems rubyonrails-talk	7	236	September 12, 2011
install rubygems rubyonrails-talk	3	199	March 13, 2009
Problem with RubyGems installation rubyonrails-talk	13	146	January 8, 2009

RubyGems 0.9.0 and earlier installation exploit

Related topics

More Resources