RubyGems.org gem replacement vulnerability and mitigation

There’s an announcement on RubyGems.org about a possible security problem. It says:

RubyGems.org contained a bug that could allow an attacker to replace some .gem files on our servers with a different file that they supplied. We deployed a partial fix on April 2nd and a complete fix on April 4th, 2016. We also verified every .gem uploaded after Feb 8th, 2015, and found that none of them had been replaced. Gems whose name contains a dash (e.g. ‘blank-blank’) uploaded before that date should be verified by their authors. We’ve provided instructions on how to do that below.

Here is a list of the gems I’m maintainer for that may have been effected. I can confirm that I’ve checked them all and they should be fine. Some of them I updated while checking them, so this minor debacle has been somewhat helpful in forcing me to get round to that. I’ve only listed the latest versions as they’re the ones you should really be using, but if you’re using older ones then I suggest you clone the git repo for it and check it. Let me know if there’s a problem.

The simplest way I found to check them was to download the gem, unpack it, git checkout the particular version of the project (I tag all releases) and then overwriting the files using the downloaded ones. Then a simple git status will show if there are any changes and the chance to diff them.


I’ve also taken a script provided by dcu and made some changes to make it more convenient for me to run against multiple directories and see what may have been affected amongst the gems my projects are using. Feel free to use it.

Added on: