
Multiple vulnerabilities in RubyGems - omarish
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
======
travjones
>> "a vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files"

Yeeks. Not good.

(sudo) gem update --system ASAP

~~~
devmunchies
would you have to go out of your way to find a malicious gem though? Its not
like any of the popular gems would try to overwrite files, right?

~~~
arkadiyt
There was recently a fiasco with NPM over a malicious node package whose name
was an intentional typo of a popular package, and upon installation it
exfiltrated all environment variables:
[https://twitter.com/o_cee/status/892306836199800836](https://twitter.com/o_cee/status/892306836199800836)

After this got uncovered, Duo published a blog post where they scanned for and
found several others malicious packages:

[https://duo.com/blog/hunting-malicious-npm-
packages](https://duo.com/blog/hunting-malicious-npm-packages)

The last one they talk about worms itself by adding itself to any packages
authored on the computer it's installed on.

These issues are not unique to npm.

------
trapperkeeper74
I have a mirror of all Rubygems from last month. Should I scan em for PoCs?

~~~
rafaele
What does PoC mean?

~~~
tenken
Proof of Concept (of exploit) ... Eg is it "in the wild" and being exploited.

~~~
rafaele
thanks

------
jzelinskie
Is the work on adding TUF to RubyGems still happening? I can only find this
stagnant PR:
[https://github.com/rubygems/rubygems/pull/719](https://github.com/rubygems/rubygems/pull/719)

~~~
homakov
No work is happening in this direction on any known library server. They are
waiting for (another) major hack to wake up.

------
kichik
Is there a more detailed description of the vulnerabilities somewhere?

~~~
kichik
I think these are the commits, but not all of them contain a detailed
description.

[https://github.com/rubygems/rubygems/commit/8d91516fb7037ecf...](https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32)
[https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e...](https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251)
[https://github.com/rubygems/rubygems/commit/44cc27cd6123b8ea...](https://github.com/rubygems/rubygems/commit/44cc27cd6123b8eaafbcec5c8fe0dd0bc01d2a95)
[https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b2...](https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2)

~~~
arkadiyt
The last 2 commits you listed are actually both for the arbitrary file write
issue, and there was a 5th commit for the ANSI issue:

[https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54...](https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491)

I went through all 4 issues and did a brief writeup for each of them. Only the
first 2 issues are serious (and worth upgrading for). The last 2 issues are
not really a big deal at all.

1) _" a DNS request hijacking vulnerability"_

Rubygems supports a gem server discovery mechanism, where if you set your gem
source as '[https://example.com'](https://example.com'), the gem client will
do a SRV dns lookup on "_rubygems._tcp.example.com" to determine where it
should send requests to.

A MITM can intercept that dns request and return whatever server they want,
forcing the gem client to download code from a malicious server.

Fixed by:

[https://github.com/rubygems/rubygems/commit/8d91516fb7037ecf...](https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32)

Now the returned DNS record must be for a subdomain of the gem source (in this
case it must point to a subdomain of "example.com").

2) _" a vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files"_

Gem contents could be unpacked in arbitrary file locations by setting the gem
name to include file traversal characters like "../".

Fixed by:

[https://github.com/rubygems/rubygems/commit/44cc27cd6123b8ea...](https://github.com/rubygems/rubygems/commit/44cc27cd6123b8eaafbcec5c8fe0dd0bc01d2a95)

[https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b2...](https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2)

Now gem names can only contain letters, numbers, underscore (_), dash (-), and
dot (.).

3) _" an ANSI escape sequence vulnerability"_

Text specified in a gemspec can be output on installation or displayed when
showing information about the gem. Gem authors can inject terminal escape
sequences into (for instance) the authors field of the gem, and this will mess
with end users' terminals.

Fixed by:

[https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54...](https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491)

Now ANSI control characters are scrubbed out of text fields.

4) _" a DoS vulernerability in the query command"_

If someone provided an extremely large gem summary, rubygems would hang trying
to process it.

Fixed by:

[https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e...](https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251)

Now the summary is truncated to 100,000 characters. I'm a little surprised
this was even triaged as a vulnerability.

------
baron816
I'm sure this has been brought up before, but I think HN should have a special
tab where submissions like this get pinned--Important stores where people need
to take action on stuff concerning security holes or political events (e.g.
Net neutrality).

~~~
vog
That doesn't make any sense to me.

People in such responsible positions are on respective announcement mailing
lists anyway, and read about those events (and patch their system and/or take
other measures) long before the story is upvoted on HN.

For example, every administrator of Debian systems is expected to be
subscribed to the "debian-security-announce" mailing list.

Also, everyone who is interested or active in German net politics is
subscribed to the "netzpolitik.org" RSS feed, or visits that site regularily.

Waiting until such a story hits HN and reyling on that seems highly dubious to
be. As soon as any important story hits social media (such as Twitter, Reddit
or HN), all important measures have already been finished. HN is really the
end stage here, not the beginning. It is the reaction, not the initiative.

In short: Use the real network and connect directly to the relevant groups.
Don't rely on aggregation networks.

(BTW, isn't is almost comical that the latter, rather than the former, are
called "social" networks?)

~~~
niciliketo
I am not sure it has actually been announced on the relevant mailing list -
[https://groups.google.com/forum/#!forum/ruby-security-
ann](https://groups.google.com/forum/#!forum/ruby-security-ann)

------
LunaSea
Ruby, the gift that keeps on giving.

