科技回声

10 条评论

entitydc大约 9 年前

Big thanks to the authors of this post. It's written in such a way as the scope of the vulnerability is immediately clear and immediately actionable.

kentt大约 9 年前

I appreciate the way this was disclosed, especially that the author was very clear. Often security vulnerability disclosers are hard to understand.

dcu大约 9 年前

I just wrote a simple script to check the gems:<a href="https://gist.github.com/dcu/3c06e4ab0e98158c5742c4fd2b31523d" rel="nofollow">https://gist.github.com/dcu/3c06e4ab0e98158c5742c4fd2b31523d</a>

评论 #11459832 未加载

评论 #11445544 未加载

评论 #11446487 未加载

评论 #11445435 未加载

zwp大约 9 年前

The commit to fix this appears to be "validate Version full_name":<a href="https://github.com/rubygems/rubygems.org/commit/1067ab7e0871bf7b75832944d839c8e0495aeb92" rel="nofollow">https://github.com/rubygems/rubygems.org/commit/1067ab7e0871...</a>Cause: a "full name" is a dash-seperated join of its components, yet those components may themselves contain dashes :(

hellbanner大约 9 年前

Great response. It's still sad to me in 2016 we don't have reliable build systems for otherwise such modern programming tools.I understand why.. just sad. Great job on the investigation though.

评论 #11444425 未加载

quakershake大约 9 年前

Anyone know why the date listed for a gem listed on rubygems.org wouldn't match the contents of the gem? I am guessing possible timezone differences. But some clarification would be nice.For example:<pre><code> Listed for bundler -v 1.11.2 - December 16, 2015 (257 KB) $ tar tvf bundler-1.11.2.gem -r--r--r-- 0 wheel wheel 2161 Dec 15 19:12 metadata.gz -r--r--r-- 0 wheel wheel 257198 Dec 15 19:12 data.tar.gz -r--r--r-- 0 wheel wheel 267 Dec 15 19:12 checksums.yaml.gz</code></pre>

评论 #11446909 未加载

click170大约 9 年前

I worry for all the unmaintained but still available gems.

derekprior大约 9 年前

The manual verification steps are basically impossible for any non-trivial gem. I wonder if it would be possible to re-build (from git) the impacted gem versions and check their checksum against the downloaded version to detect differences?

seanhandley大约 9 年前

To save app developers manually trawling dozens of gems and duplicating work, we need to have somewhere that people can publicly disclose gems they've found to be compromised.

评论 #11446661 未加载

bhaak大约 9 年前

The real WTF is that they only started checksumming the gems in 2015!

10 条评论

entitydc大约 9 年前

Big thanks to the authors of this post. It's written in such a way as the scope of the vulnerability is immediately clear and immediately actionable.

kentt大约 9 年前

I appreciate the way this was disclosed, especially that the author was very clear. Often security vulnerability disclosers are hard to understand.

dcu大约 9 年前

评论 #11459832 未加载

评论 #11445544 未加载

评论 #11446487 未加载

评论 #11445435 未加载

zwp大约 9 年前

hellbanner大约 9 年前

评论 #11444425 未加载

quakershake大约 9 年前

评论 #11446909 未加载

click170大约 9 年前

I worry for all the unmaintained but still available gems.

derekprior大约 9 年前

seanhandley大约 9 年前

To save app developers manually trawling dozens of gems and duplicating work, we need to have somewhere that people can publicly disclose gems they've found to be compromised.

评论 #11446661 未加载

bhaak大约 9 年前

The real WTF is that they only started checksumming the gems in 2015!

RubyGems.org gem replacement security vulnerability and mitigation

10 条评论

RubyGems.org gem replacement security vulnerability and mitigation

10 条评论