2013/11/22  <drbrain / ruby-lang.org>:
> drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013)
>
>   New Revision: 43767
>
>   http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=43767
>
>   Log:
>     * lib/rubygems:  Update to RubyGems master 50a8210.  Important changes
>       in this commit:
>
>       RubyGems now automatically checks for gem.deps.rb or Gemfile when
>       running ruby executables.  This behavior is similar to `bundle exec
>       rake`.  This change may be reverted before Ruby 2.1.0 if too many bugs
>       are found.

I think that running ./Gemfile is a security risk.
It may match "CWE-114: Process Control".
http://cwe.mitre.org/data/definitions/114.html

Consider multi user environment.
A malicious user can create /tmp/Gemfile.
A victim may run ruby in /tmp eventually.

malicious% echo 'raise "hahaha"' > /tmp/Gemfile

victim# cd /tmp
victim# ruby -e ''
/tmp/Gemfile:1:in `load': hahaha (RuntimeError)
from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set/gem_dependency_api.rb:193:in
`instance_eval'
from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set/gem_dependency_api.rb:193:in
`load'
from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set.rb:206:in
`load_gemdeps'
from /home/ruby/tst1/lib/ruby/2.1.0/rubygems.rb:1036:in `use_gemdeps'
from /home/ruby/tst1/lib/ruby/2.1.0/rubygems.rb:1217:in `<top (required)>'
from <internal:gem_prelude>:1:in `require'
from <internal:gem_prelude>:1:in `<compiled>'

Of course, the malicious user can write more dangerous
code in /tmp/Gemfile.
-- 
Tanaka Akira