Nobuhiro IMAI has reported a vulnerability in Ruby, which potentially can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. Solution: The vulnerability has been fixed in the CVS repository.
Ruby herd, please have a look...
Created attachment 61727 [details, diff] ruby-1.8.2-client.diff
Created attachment 61728 [details, diff] ruby-1.8.2-utils.diff Here are patches I made after looking at Ruby's CVS changelog. Since the bug details are vague, I'm not sure if it fixes the problem. Please advise.
Rob, is upstream preparing a new version to fix this?
Rob: patch reference corresponds to the bug, looks ok to me. Please bump Ruby with the patch, since apparently upstream is in no hurry to release a new version for that.
=========================================================== Ubuntu Security Notice USN-146-1 June 29, 2005 ruby1.8 vulnerability CAN-2005-1992 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libxmlrpc-ruby1.8 ruby1.8 Details follow: Nobuhiro IMAI discovered that the changed default value of the Module#public_instance_methods() method broke the security protection of XMLRPC server handlers. A remote attacker could exploit this to execute arbitrary commands on an XMLRPC server. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.2.diff.gz Size/MD5: 154525 13e3897dc3c2e5a2b8d57ea6ad63d121
After looking at the links, I'm not sure that the client.rb patch is part of this but, but it looks like the *-utils.diff patch IS the fix.
Could someone bump ruby with the patch please?
Bumped as ruby-1.8.2-r2.ebuild Left all of the arches the same as it's a very minimal patch and is in ruby code which shouldn't affect anybody. ppc-macos needs to bump to stable, though. According to http://www.ruby-lang.org/en/20050701.html, the fix had already been put into the 1.8 branch and cvs head, so ruby-1.8.3_pre1 shouldn't be affected.
thanks caleb ppc-macos, pls test and mark ruby-1.8.2-r2.ebuild stable if possible (going directly to glsa status, since stable keywords exist for all supported arches)
Thx everyone, GLSA 200507-10 is out mips / ppc-macos : please mark stable to benefit from GLSA
Later version stable.