System intrusion with RubyGems
RubyGems, an installer application for Ruby packages does not check destination directories when installing packages. This means that an attacker can overwrite important files when installing prepared packages, thus gaining control of the computer.
RubyGems versions 0.9.0 and earlier are affected. Packages in version 0.9.1 are now available to download from the project pages. The developers have also released patches for versions 0.8.11 and 0.9.0. These kit the application out with an installation path check.
- RubyGems 0.9.0 and earlier installation exploit, bug report on Full Disclosure
- Download updated RubyGems packages.
(ehe)