Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 157048

Summary: dev-lang/ruby: Another DoS Vulnerability in CGI Library (CVE-2006-6303)
Product: Gentoo Security Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby, znmeb
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
Whiteboard: B3 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-04 00:33:20 UTC
Quoting from the site

--
Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).

This vulnerability is open to the public as JVN#84798830.

Please note that the previous patch (<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch>) does not fix this problem.

Impact

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.

Vulnerable versions

1.8 series
 1.8.5 and all prior versions 
Development version (1.9 series)
 All versions before 2006-12-04 

Solution

1.8 series
Please upgrade to 1.8.5-p2.
<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz> (4519151 bytes, md5sum: a3517a224716f79b14196adda3e88057)
Please note that a package that corrects this weakness may already be available through your package management software.
--

I'll see to prepare an ebuild for 1.8.5-p2.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-04 01:09:42 UTC
thx Flameeyes
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-04 01:38:06 UTC
1.8.5_p2 in tree.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-04 01:51:24 UTC
arches, please test and stable 1.8.5_p2, thx
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2006-12-04 03:05:27 UTC
*** Bug 157038 has been marked as a duplicate of this bug. ***
Comment 5 Luis Medinas (RETIRED) gentoo-dev 2006-12-04 04:26:43 UTC
apart from make test failures (normal issue and an old bug) amd64 got stable love.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2006-12-04 06:14:23 UTC
sparc stable.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2006-12-04 07:24:51 UTC
ppc64 stable
Comment 8 Alexander Færøy 2006-12-04 09:44:04 UTC
Stable on Alpha.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-04 10:16:54 UTC
ppc stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-12-04 10:29:40 UTC
ranger marked stable on ppc64
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2006-12-04 14:35:38 UTC
Stable for HPPA.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2006-12-05 00:07:29 UTC
x86 done
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-15 07:50:54 UTC
"A specific HTTP request for any web application using cgi.rb causes CPU
consumption "  --> i vote GLSA
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-15 08:11:40 UTC
I vote YES as well.
Comment 15 Wolf Giesen (RETIRED) gentoo-dev 2006-12-15 10:21:42 UTC
Nobody will care for my addon YES, then ^_^
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-21 05:47:12 UTC
GLSA 200612-21 , thanks everybody!
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 18:23:18 UTC
ia64 stable