RubyGems 0.9.0 and earlier installation exploit

Eric Hodel | Sun, 21 Jan 2007 09:08:00 GMT

Problem Description:

RubyGems does not check installation paths for gems before writing files.

Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

1. Upgrade to RubyGems 0.9.1

2. Apply one of the following patches:

   • For RubyGems 0.9.0:

     installer.rb.extract_files.REL_0_9_0.patch
     MD5 (installer.rb.extract_files.REL_0_9_0.patch) = bed4fcdd438a7d8b81cf72e1ffe48a7d 

   • For RubyGems 0.8.11:

     installer.rb.extract_files.REL_0_8_11.patch
     MD5 (installer.rb.extract_files.REL_0_8_11.patch) = 31e3bacd1821de0272864c153b7c0dca

Note:

Remote installations via Rubyforge will be disabled in the near future for versions of RubyGems earlier than 0.9.1, even for patched versions of RubyGems. Local installations will continue to work, however.

Thanks to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

Installing rspec-0.7.5 will give an InstallError on a patched version of RubyGems:

$ gem install rspec --version 0.7.5
ERROR:  While executing gem ... (Gem::InstallError)
    attempt to install file into "../web_spec/web_test_html_formatter.rb"

An updated rspec (0.7.5.1) has already been released.

Posted in Ruby, Rubygems, Software | no comments

RubyGems 0.9.1

Eric Hodel | Thu, 18 Jan 2007 19:00:00 GMT

Finally, the much anticipated RubyGems version 0.9.1 is now available. This release includes a number of new features and bug fixes.

The most important change in RubyGems 0.9.1 is that RubyGems no longer allows files to be installed outside of the installation directory. A separate security bulletin with full details will be posted shortly.

RubyGems 0.9.1 is a required update. The RubyForge gem repository will soon disallow installation by older versions of RubyGems. Manual installation will still be allowed.

Upgrade note

While require_gem was deprecated in 0.9.0, the bin stubs are still using it (oops!). To get rid of the warnings printed by rake or other bin stubs simply run 'gem pristine --all'.

Changes in RubyGems 0.9.1

Major changes include:

• RubyGems no longer allows installation of files outside the gem directory
• #require_gem will now print a warning, use #gem instead
• RubyGems now requires ruby 1.8.2 or greater
• RubyGems is -w clean

Minor changes include:

• gem command changes
  • new gem pristine command
  • new gem outdated command
  • new gem sources command
  • gem uninstall can uninstall multiple gems
  • gem install uses the cache instead of downloading
  • gem install returns non-zero exit code on failure
  • gem install can now set shebang on bin stubs (env or ruby)
  • gem help output now fits in 80 columns
• many proxy installation improvements
• gem cert improvements
• RubyGems is now easier to use as a library
  • Easier programatic installs
  • Easier inspection of local and remote gems
• extension building enhancements
• error reporting enhancements (less odd exceptions)
• require now loads .jar files

Bug fixes:

• installing from scratch fixed
• gem install --force forces
• installing from read-only location works
• gem uninstall requires full name
• gem install obeys GEM_HOME for bin scripts
• RubyGems now installs on ruby 1.9
• fixed issue with Gem::Specification#hash for JRuby
• RubyGems now installs RDoc and ri for itself
• RubyGems is now tab-free

What is RubyGems?

RubyGems is a package management system for Ruby applications and libraries. RubyGems' one command download makes installing Ruby software fun and enjoyable again.

Many gems are available for download from the RubyForge site. Browse the list of gems with a "gem list --remote" command and download what you need with a simple "gem install <name-of-gem>". RubyGems takes care of the details of installing, not only the gem you requested, but also any gems needed by the software you selected.

RubyGems Statistics

• About 1250 different gems are available from RubyForge
• Over 540 thousand downloads of the RubyGems software
• Over 8 million gem downloads

If you are interested in finding out when new gems are released, I maintain an RSS feed at http://onestepback.org/gemwatch.rss.

How can I get RubyGems?

If you have a recent version of RubyGems (0.8.5 or later), then all you need to do is:

$ gem update --system # you might need to be admin/root
$ gem pristine --all # ... here too

(Note: You may have to run the command twice if you have any previosly installed rubygems-update gems).

If you have an older version of RubyGems installed, then you can still do it in two steps:

$ gem install rubygems-update # again, might need to be admin/root
$ update_rubygems # ... here too
$ gem pristine --all # and here

If you don't have any gems install, there is still the pre-gem approach to getting software, doing it manually:

1. DOWNLOAD FROM: http://rubyforge.org/frs/?group_id=126
2. UNPACK INTO A DIRECTORY AND CD THERE
3. INSTALL WITH: ruby setup.rb all (you may need admin/root privilege)

What's Next

For RubyGems 0.9.2 the RubyGems team is looking to add:

1. Integration of local and remote installation
2. Automatic installation of platform-specific gems

Thanks

Contributors to this release include:

Anatol Pomozov, Gavin Sinclair, David Lee, Ryan Davis, Robert James, Chris Morris, Sylvain Joyeux, Sava Chankov, Tom Pollard, Kevin Clark, Andy Shen.

Keep those gems coming!

Posted in Ruby, Rubygems, Software | 2 comments | no trackbacks

Tattle Host OS

Eric Hodel | Wed, 10 Jan 2007 16:03:00 GMT

After two days and 562 tattle reports a picture of rubyists' operating system choice is emerging:

$ ruby filter_host_os.rb tattle-host_os-20070110-1053.yml 
  darwin8: 242
linux-gnu: 161
  mswin32: 116
 freebsd6: 16
 solaris2: 7
  darwin7: 5
   cygwin: 4
 openbsd4: 4
    linux: 2
 freebsd5: 2
  darwin9: 2
 openbsd3: 1

Generated from:

$ cat filter_host_os.rb 
require 'yaml'

data = YAML.load ARGF.read

collapsed = Hash.new 0
data['host_os'].each do |os, count|
  os =~ /^(.*?)(\.|$)/
  collapsed[$1] += count
end

length = collapsed.keys.sort_by { |k| -k.length }.first.length

collapsed.sort_by { |o,c| -c }.each do |os,count|
  puts "%#{length}s: %d" % [os, count]
end

Posted in Ruby, Rubygems | 2 comments | no trackbacks

Tattle: The Ruby Census

Eric Hodel | Mon, 08 Jan 2007 21:23:51 GMT

The most-requested feature for RubyGems is the addition of a platform preference for automating installs and ignoring gems for the platforms you aren’t on. In order to help get there, Jim, Chad and Bruce have put together tattle:

At the first Rails Edge conference, Jim Weirich, Bruce Williams, and I were chatting about how to improve the RubyGems platform-specific behavior, when we realized that it would be really helpful to have more info about the install footprint of the Ruby community at large.

So instead of going right into hacking RubyGems as was our plan, we created a little census tool and an accompanying web site to help us collect information. Most of the info we collect is from Config::CONFIG, with the addition of the RubyGems version.

We know this information will help the implementers of RubyGems, and we hope it will also help Ruby implementers and library developers as well.

To install:

$ sudo gem install tattle

To submit your info:

$ tattle

If you want to see what would be posted before posting, you can do:

$ tattle report

The information gets posted to http://tattle.rubygarden.org. You can view the posted data with your web browser at that URL.

—Tattle: The Ruby Census via ChadFowler.com

Posted in Ruby, Rubygems | 3 comments | no trackbacks

RubyGems Beta 0.9.0.9

Eric Hodel | Mon, 08 Jan 2007 01:28:33 GMT

Beta version 0.9.0.9 is now available with:

This will be the last beta with major changes before the release of 0.9.1.

Upgrade note

While require_gem was deprecated in 0.9.0, the bin stubs are still using it (oops!). To get rid of the warnings printed by rake or other bin stubs simply run gem pristine --all.

What’s new since 0.9.0?

Lots! Many changes both big and small! Here’s an incomplete summary:

• require_gem is deprecated and will print a warning. Use gem instead.
• RubyGems now requires ruby 1.8.2 or greater.
• gem command changes
  • new gem pristine command
  • new gem outdated command
  • new gem sources command
  • gem uninstall can uninstall multiple gems
  • gem install uses the cache instead of downloading
  • gem install returns non-zero exit code on failure
  • gem install can now set shebang on bin stubs (env or ruby)
  • gem help output now fits in 80 columns
• now -w clean
• many proxy installation improvements
• gem cert improvements
• RubyGems is now easier to use as a library
  • Easier programatic installs
  • Easier inspection of local and remote gems
• extension building enhancements
• error reporting enhancements (less odd exceptions)
• many bugs fixed or closed (0 bugs in tracker!)
• require now loads .jar files
• select bug fixes:
  • installing from scratch fixed
  • gem install --force forces
  • installing from read-only location works
  • gem uninstall requires full name
  • gem install obeys GEM_HOME for bin scripts
  • RubyGems now installs on ruby 1.9

New since beta 0.9.0.8

• fixed issue with Gem::Specification#hash for JRuby
• RubyGems now installs RDoc and ri for itself
• RubyGems is now tab-free
• require_gem warning prints file and line information

For full details, read the ChangeLog.

Posted in Ruby, Rubygems, Software | no comments | no trackbacks

RubyGems Beta 0.9.0.8

Eric Hodel | Tue, 26 Dec 2006 10:17:48 GMT

Beta version 0.9.0.8 is now available with:

gem update --system --source http://onestepback.org/betagems

Merry christmas from the RubyGems project!

If you find any bugs, report them on the RubyGems bug tracker.

Upgrade note

While require_gem was deprecated in 0.9.0, the bin stubs are still using it (oops!). To get rid of the warnings printed by rake or other bin stubs simply reinstall the gem. In the next beta ‘gem pristine—all’ will fix all your gem bin stubs.

What’s new since 0.9.0?

Lots! Many changes both big and small! Here’s an incomplete summary:

• require_gem is deprecated and will print a warning. Use gem instead.
• RubyGems now requires ruby 1.8.2 or greater.
• gem command changes
  • new gem pristine command
  • new gem outdated command
  • new gem sources command
  • gem uninstall can uninstall multiple gems
  • gem install uses the cache instead of downloading
  • gem install returns non-zero exit code on failure
  • gem install can now set shebang on bin stubs (env or ruby)
  • gem help output now fits in 80 columns
• now -w clean
• many proxy installation improvements
• gem cert impromevents
• RubyGems is now easier to use as a library.
  • Easier programatic installs
  • Easier inspection of local and remote gems
• extension building enhancements
• error reporting enhancements (less odd exceptions)
• many bugs fixed or closed (0 bugs in tracker!)
• require now loads .jar files
• select bug fixes:
  • installing from scratch fixed
  • gem install—force forces
  • installing from read-only location works
  • gem uninstall requires full name
  • gem install obeys GEM_HOME for bin scripts
  • RubyGems now installs on ruby 1.9

For full details, read the ChangeLog.

Posted in Ruby, Rubygems, Software | no comments | no trackbacks

Recent Gems and Gem::Specification#description=

Eric Hodel | Mon, 10 Apr 2006 17:14:00 GMT

Jim Weirich provides a recent gems RSS feed that will put the most recently uploaded gems in your favorite RSS feed reader. Unfortunately it needs some help. The body of each gem's entry is filled in from the the gemspec description field which some Gem authors neglect to fill in.

Its really easy to fill in the description field of your gem:

spec = Gem::Specification.new do |s|
  s.name = 'mogilefs-client'
  s.version = '1.1.0'
  s.summary = 'A Ruby MogileFS client'
  # Just add this line right here!
  s.description = 'A Ruby MogileFS client.

MogileFS is a distributed filesystem written by Danga Interactive.

This client supports NFS mode and has untested support for HTTP mode.'
  s.author = 'Eric Hodel'
  s.email = 'eric@robotcoop.com'
  # ...
end

If you haven't filled in your gem's description please do so now so it shows up in your next release. Currently I see several gems with interesting names in the feed but without a description I'm not that interested in looking at them. They might not be as cool as their names sound.

Posted in Rubygems | 8 comments

Rubygems + ri

Eric Hodel | Thu, 23 Feb 2006 11:42:00 GMT

I’ve almost finished doing what has previously been claimed as impossible. I’ve cleanly integrated ri and Rubygems so that you can use ri to search your installed gems’ documentation.

The first part was simple, tell Rubygems to generate ri data for its gems. Rather than have Rubygems install a gem’s ri data mixed-in with the standard library’s data it installs it into a per-gem directory.

The unfinished part is getting a patch into Ruby that makes ri go looking in the gem ri data directories. That patch is in [ruby-core:7423]. Hopefully I can push it into 1.8 so it will be usable with Rubygems 0.9.

Posted in RDoc, Ruby, Rubygems

I was right!

Eric Hodel | Fri, 17 Feb 2006 10:28:00 GMT

Super-easy!

Except that Rubygems has methods that don’t get called when you think they should.

And that there’s a strange bug in RDoc when you run it twice.

Posted in Hacking, RDoc, Ruby, Rubygems

ri for Rubygems will be easy!

Eric Hodel | Fri, 17 Feb 2006 08:44:00 GMT

Something simple as:

begin
  require 'rubygems'
  Dir["#{Gem.path}/gems/*/ri"].each do |path|
    RI::Paths::PATH << path
  end
rescue LoadError
end

Posted in RDoc, Ruby, Rubygems