A survey of recent RubyGems CVEs
Samuel Giddins • September 13, 2024 • Sarajevo, Bosnia and Herzegovina • Talk

RubyGems, like any sufficiently-used piece of software, has its fair share of bugs. Being a package manager (and gem host), many of those bugs turn out to have security implications. Let's take a tour of recent RubyGems RubyGems.org vulnerabilities, and learn how we're keeping the ecosystem safe.

Marshal, insufficient input validation, symlink traversal, oh my! Over the past couple of years, there's been a slow trickle of CVEs announced, covering both RubyGems RubyGems.org. Let's go on a quick tour of those vulnerabilities, covering their lifecycle from discovery to mitigation to announcement. We'll dive into some patterns that have started to emerge, and discuss the steps the RubyGems team is taking to keep the Ruby ecosystem secure in an increasingly adversarial world.

EuRuKo 2024