Re: rubygems insecure download (and other problems)

[Marcus Meissner <meissner () suse de>]

On Wed, Aug 14, 2013 at 05:02:36PM -0400, Donald Stufft wrote:
> On Aug 14, 2013, at 4:59 PM, Kurt Seifried <kseifried () redhat com> wrote:
>
> > Signed PGP part
> > I don't think this is CVE worthy, but it is worth fixing and not
> > putting everyone at such risk:
> >
> > https://bugzilla.novell.com/show_bug.cgi?id=834785
> > https://bugzilla.redhat.com/show_bug.cgi?id=997179
> >
> > Problem #1:
> > install /etc/gemrc to install gems via https rather than http
> >
> > everyone should be enabling HTTPS where possible, intercepting and
> > modifying HTTP is trivial.
> >
> > Problem #2:
> > it redirects to  production.cf.rubygems.org which is on cloudfront so
> > has certificate mismatch, so either users have to accept insecurity,
> > or... well there is no second choice =(.
> >
> > https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org
> >
> > - -- 
> > Kurt Seifried Red Hat Security Response Team (SRT)
> > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> pip has a CVE for downloading via HTTP, does switching the
> gem to HTTPS actually make gem verify it?
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629

Some SSL certificate issues in Ruby were also fixed...

... testing by pointing rubygems.org to another host with https gives:

$ gem install foo
ERROR:  Could not find a valid gem 'foo' (>= 0) in any repository
ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed 
(https://rubygems.org/latest_specs.4.8.gz)
...

I think a "package management" solution that installs software on a system should
have good security measurements by default these days, and trivial man-in-the-middle
attacks should not be possible.

So the implicit assumption "installing gems is secure" is violated here, which would
require a CVE I think.

Ciao, Marcus