Rubygems critical CVE

[pcjmfranken]

A critical CVE that allows for Rubygem takeover was just published. I'm not sure whether Homebrew depends on any potentially compromised gems, but the notice provides enough details that you could probably check.

GHSA-hccv-rwq6-vh79

Off-topic: The only method currently listed by Homebrew for reporting security vulnerabilities requires registering an account with a third party website. I really believe the barrier for reporting security concerns should be lower than that. Perhaps you could also list an email address - any free one would do, just forward the messages.

[Bo98]

Thanks for the heads up. We lock our dependencies and review pull requests which make any updates.

Based on the advice mentioned in this advisory:

To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability.

We have not seen this happen to any of our Gemfile.lock files.

[pcjmfranken]

Thanks for the heads up

Ruby and I don't talk anymore, so glad I could help in some other way :)

With full confidence in your abilities and judgement regarding the impact of this I'll close this now.