RubyGems 0.9.0 and earlier installation exploit

某所で一から Ruby on Rails 環境を作るべく各サイトを訪問していて見つけました。

Problem Description:

RubyGems does not check installation paths for gems before writing files.

Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

ということで、

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply one of the following patches

For RubyGems 0.9.0:

http://rubyforge.org/frs/download.php/16543/installer.rb.extract_files.REL_0_9_0.patch

MD5 (installer.rb.extract_files.REL_0_9_0.patch) = bed4fcdd438a7d8b81cf72e1ffe48a7d

For RubyGems 0.8.11:

http://rubyforge.org/frs/download.php/16544/installer.rb.extract_files.REL_0_8_11.patch

MD5 (installer.rb.extract_files.REL_0_8_11.patch) = 31e3bacd1821de0272864c153b7c0dca

Note:

Remote installations via Rubyforge will be disabled in the near future for versions of RubyGems earlier than 0.9.1, even for patched versions of RubyGems. Local installations will continue to work, however.

となっています。早めのアップデートが必要ですね。

でもこのネタ、あまり触れてる blog などを見ないのですが何でだろ? 大して危なくない、という判断なのかしらん?