Allele Security Alert
Installing a malicious gem may lead to arbitrary code execution
RubyGems 2.6 and later through 3.0.2
Proof of concept
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
nyangawa (Chaitin Tech)
March 2019 Security Advisories
Also verify spec require_paths when pre install task
[Installer] Validate spec name before checking the ruby spec is loadable
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 19, 2019