Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 21 Jul 2009 22:04:08 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- RubyGems

Hi,

first a little note: I have talked to some people in the Ruby community
and the issue is quite disputed. There is no upstream reaction that I
know of. But since CVE-2007-0469 was assigned to a similar issue, I
think this issue is valid, too.

On Di, 2009-07-21 at 20:57 +0200, Jan Lieskovsky wrote:
> A remote attacker
> could provide a specially-crafted Gem (POSIX tar)
> archive, 

Please note that .gem files are not neccesarily tarballs, there is at
least a proprietary base64-based format around and I've heard about
cpio.

> which once opened by an unsuspecting
> user, would overwrite relevant system file.

The user in this context has to be a privileged user. gem will use
~/.gem/bin if the system-wide gem binary directory is not writeable.

Alex

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ