[Secure-testing-team] Bug#794120: ruby: please implement a way to forcibly disable download/installation of (Debian external) gems

Christoph Anton Mitterer calestyo at scientia.net
Thu Jul 30 18:52:11 UTC 2015 

Package: ruby
Version: 1:2.1.5.1
Severity: wishlist
Tags: security


Hi.

AFAIU, the gems integration into ruby allows one (e.g. in principle also
other packages) to download/install software which doesn't come vi the
Debian Archives (i.e. I'm not talking about properly packaged "gems", as
e.g. ruby-xmlparser).

Correct me if I'm wrong.... =)


There are several, especially security, problems with such external
downloading/injecting features - similar to those as one has them with
many (but not all) downloader packages.

- The put trust for code which gets executed (likely even as root) into
  another party (the ruby gem author), for which the Debian user/admin
  likely doesn't want to put trust in.
- It circumvents the package management system.
- And also the security support from Debian.
- If an attacker can control the code of the gem (which is downloaded
  in such manner) he could selectively attack only certain people, making
  such attack basically impossible to ever notice (which is less easy
  when the same code is guaranteed to be used by *all*, as it's the case
  when it's properly packaged).
- On a first glance (I haven't looked into all details) it seems that the
  certs from ca-certificates would be used for authenticating such
  external gems? Or did I get that wrong?
  Anyway, that would really be a serious problem, that contains gazillions
  of CAs where many of them have proven countless times to be either
  incompetent or simply straight malicious.


It's of course fine to have probperly (Debian)packaged gems being used,
but any form of possible way that code get's installed (without the admin
or user doing it manually or via the package management system (talking
about dpkg/apt here)) is IMHO a quite severe security breach, and as such
there should be a way to have ruby gems in Debian configured (per default)
so that this isn't possible.

But just that seems to work:
e.g.
# gem install rubygems-update
Fetching: rubygems-update-2.4.8.gem (100%)
Successfully installed rubygems-update-2.4.8
1 gem installed
Installing ri documentation for rubygems-update-2.4.8...
Installing RDoc documentation for rubygems-update-2.4.8...
#

And that even though there seem to be no trusted certificate configured:
# gem cert --list
#



Best wishes,
Chris.

More information about the Secure-testing-team mailing list