Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456176 (CVE-2013-0262) - <dev-ruby/rack-{1.1.6,1.2.8,1.3.10,1.4.5}: Insecure File Access Security Issue and Information Disclosure Security Issue (CVE-2013-{0262,0263})
Summary: <dev-ruby/rack-{1.1.6,1.2.8,1.3.10,1.4.5}: Insecure File Access Security Issu...
Status: RESOLVED FIXED
Alias: CVE-2013-0262
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52033/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-08 15:22 UTC by Agostino Sarubbo
Modified: 2014-05-17 19:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-08 15:22:22 UTC
From $URL :

Description
A security issue has been reported in Rack, which can be exploited by malicious, local users to 
disclose potentially sensitive information.

The security issue is caused due to the application using files in an insecure manner, which can be 
exploited to disclose potentially sensitive information via symlink attacks.

The security issue is reported in versions prior to 1.4.5 and 1.5.2.


Solution
Update to version 1.4.5 or 1.5.2.

Provided and/or discovered by
Ben Murphy

Original Advisory
https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
Comment 1 Agostino Sarubbo gentoo-dev 2013-02-08 15:23:18 UTC
and from: https://secunia.com/advisories/52134/

Description
A security issue has been reported in Rack, which can be exploited by malicious people to disclose potentially sensitive information.

The security issue is caused due to the application checking cookie data in an insecure manner, which can be exploited to disclose potentially sensitive information via timing attack.

NOTE: This can further be exploited to execute arbitrary code.

The security issue is reported in versions prior to 1.1.6, 1.2.8, 1.3.10, 1.4.5, and 1.5.2.


Solution
Update to version 1.1.6, 1.2.8, 1.3.10, 1.4.5, or 1.5.2.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
https://groups.google.com/forum/#!msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
Comment 2 Hans de Graaff gentoo-dev Security 2013-02-09 07:44:08 UTC
Fixed versions are now in the tree (we don't have the 1.5 series in tree yet):

=dev-ruby/rack-1.1.6
=dev-ruby/rack-1.2.8
=dev-ruby/rack-1.3.10
=dev-ruby/rack-1.4.5
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 16:18:49 UTC
(In reply to comment #2)
> Fixed versions are now in the tree (we don't have the 1.5 series in tree
> yet):
> 
> =dev-ruby/rack-1.1.6
> =dev-ruby/rack-1.2.8
> =dev-ruby/rack-1.3.10
> =dev-ruby/rack-1.4.5

Thanks, Hans.

Arches, please test and mark stable.
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-24 17:19:03 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-24 17:19:56 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-24 17:33:35 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-24 17:35:46 UTC
x86 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:20:32 UTC
CVE-2013-0263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0263):
  Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x
  before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote
  attackers to guess the session cookie, gain privileges, and execute
  arbitrary code via a timing attack involving am HMAC comparison function
  that does not run in constant time.

CVE-2013-0262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0262):
  rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5
  allows attackers to access arbitrary files outside the intended root
  directory via a crafted PATH_INFO environment variable, probably a directory
  traversal vulnerability that is remotely exploitable, aka "symlink path
  traversals."
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:44:51 UTC
Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:04:05 UTC
This issue was resolved and addressed in
 GLSA 201405-10 at http://security.gentoo.org/glsa/glsa-201405-10.xml
by GLSA coordinator Sean Amoss (ackle).