On 06/04/2019 03:32, Alceu Rodrigues de Freitas Junior via
cpan-testers-discuss wrote:
Hello guys,
Did you have the chance to read about this backdoor found in a popular
Ruby gem?
https://www.zdnet.com/article/backdoor-code-found-in-popular-bootstrap-sass-ruby-library/
I was wandering if there is anything we could do to avoid having the
same thing happening.
Three things stand out from the article.
First, the rubygems access of the person who uploaded it was revoked
*by the Bootstrap-Sass team*. Implying that he was previously authorised
by them. He had co-maint, in PAUSE terms.
Second, the package uploaded had a lower version number than what was
current at the time, so most users wouldn't have been affected. I
*ASS*ume that this means that it was a targeted attack on someone who
was using the old version 3.2.0 specifically.
Third, it was removed on the same day it was reported, which was only
after an individual spotted that something strange had happened.
Presumably it would have been spotted quicker if he'd uploaded $LATEST+1.
There's nothing we can do about the first of those.
The second and third, though, lead me to think that perhaps PAUSE should
alert owners/co-maints whenever a package of theirs is uploaded but not
indexed - not indexed either because the person uploading it doesn't
have rights to that namespace or because it's older than the most recent
version. That way the namespace owner can check what was uploaded, and
then either discuss it with the PAUSE-admins or with the uploader.
I don't think we should go so far as to do something like quarantining
the offending dist until one of those owners/co-maints approves it
though, mostly because there are legitimate cases where people upload
"fixed" versions of other peoples' code where the "fix" is really just a
difference of opinion.
--
David Cantrell
