oss-sec mailing list archives
Re: rubygems insecure download (and other problems)
From: Marcus Meissner <meissner () suse de>
Date: Thu, 15 Aug 2013 10:37:45 +0200
On Wed, Aug 14, 2013 at 05:02:36PM -0400, Donald Stufft wrote:
On Aug 14, 2013, at 4:59 PM, Kurt Seifried <kseifried () redhat com> wrote:Signed PGP part I don't think this is CVE worthy, but it is worth fixing and not putting everyone at such risk: https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.redhat.com/show_bug.cgi?id=997179 Problem #1: install /etc/gemrc to install gems via https rather than http everyone should be enabling HTTPS where possible, intercepting and modifying HTTP is trivial. Problem #2: it redirects to production.cf.rubygems.org which is on cloudfront so has certificate mismatch, so either users have to accept insecurity, or... well there is no second choice =(. https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993pip has a CVE for downloading via HTTP, does switching the gem to HTTPS actually make gem verify it? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
Some SSL certificate issues in Ruby were also fixed... ... testing by pointing rubygems.org to another host with https gives: $ gem install foo ERROR: Could not find a valid gem 'foo' (>= 0) in any repository ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz) ... I think a "package management" solution that installs software on a system should have good security measurements by default these days, and trivial man-in-the-middle attacks should not be possible. So the implicit assumption "installing gems is secure" is violated here, which would require a CVE I think. Ciao, Marcus
Current thread:
- rubygems insecure download (and other problems) Kurt Seifried (Aug 14)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Henri Salo (Aug 15)
- Re: rubygems insecure download (and other problems) Kurt Seifried (Aug 15)
- RE: rubygems insecure download (and other problems) Christey, Steven M. (Aug 15)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) gremlin (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
- Message not available
- Re: HTTPS Kurt Seifried (Aug 21)
- Re: HTTPS Pavel Labushev (Aug 22)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS gremlin (Aug 15)