Summary: | dev-lang/ruby XMLRPC Server Arbitrary Command Execution (CAN-2005-1992) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | CC: | ppc-macos, ruby | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Other | ||||||||
URL: | http://secunia.com/advisories/15767/ | ||||||||
Whiteboard: | C1 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-06-22 07:10:19 UTC
Ruby herd, please have a look... Created attachment 61727 [details, diff]
ruby-1.8.2-client.diff
Created attachment 61728 [details, diff]
ruby-1.8.2-utils.diff
Here are patches I made after looking at Ruby's CVS changelog. Since the bug
details are vague, I'm not sure if it fixes the problem. Please advise.
Rob, is upstream preparing a new version to fix this? Rob: patch reference corresponds to the bug, looks ok to me. Please bump Ruby with the patch, since apparently upstream is in no hurry to release a new version for that. =========================================================== Ubuntu Security Notice USN-146-1 June 29, 2005 ruby1.8 vulnerability CAN-2005-1992 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libxmlrpc-ruby1.8 ruby1.8 Details follow: Nobuhiro IMAI discovered that the changed default value of the Module#public_instance_methods() method broke the security protection of XMLRPC server handlers. A remote attacker could exploit this to execute arbitrary commands on an XMLRPC server. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.2.diff.gz Size/MD5: 154525 13e3897dc3c2e5a2b8d57ea6ad63d121 After looking at the links, I'm not sure that the client.rb patch is part of this but, but it looks like the *-utils.diff patch IS the fix. Could someone bump ruby with the patch please? Bumped as ruby-1.8.2-r2.ebuild Left all of the arches the same as it's a very minimal patch and is in ruby code which shouldn't affect anybody. ppc-macos needs to bump to stable, though. According to http://www.ruby-lang.org/en/20050701.html, the fix had already been put into the 1.8 branch and cvs head, so ruby-1.8.3_pre1 shouldn't be affected. thanks caleb ppc-macos, pls test and mark ruby-1.8.2-r2.ebuild stable if possible (going directly to glsa status, since stable keywords exist for all supported arches) Thx everyone, GLSA 200507-10 is out mips / ppc-macos : please mark stable to benefit from GLSA Later version stable. |