oss-sec mailing list archives
CVE Request -- RubyGems
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 21 Jul 2009 20:57:16 +0200
Hello Steve, vendors, a potential system integrity violation flaw was found in the way RubyGems used to handle it's external Gem archives. A remote attacker could provide a specially-crafted Gem (POSIX tar) archive, which once opened by an unsuspecting user, would overwrite relevant system file. References: ---------- http://bugs.gentoo.org/show_bug.cgi?id=278566 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472 http://redmine.ruby-lang.org/issues/show/1800 Credit: Kazuhiro NISHIYAMA ------- Affected versions: Issue reported in RubyGems-1.3.4, ----------------- but confirmed also in RubyGems-1.3.1. Could you please allocate a new CVE identifier for it? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- RubyGems Jan Lieskovsky (Jul 21)
- Re: CVE Request -- RubyGems Alex Legler (Jul 21)