Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 219085 (CVE-2008-1891)

Summary: dev-lang/ruby NTFS/FAT file disclosure (CVE-2008-1891)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://aluigi.altervista.org/adv/webrickcgi-adv.txt
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 225465    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:09:05 UTC 
CVE-2008-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1891):
  Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when
  using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI
  files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4)
  %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly
  related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new
  functionality and the :DocumentRoot option.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:34:12 UTC 
serving files off of fat32 is just bad, but I believe we should handle this as a low priority issue.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-04 19:09:05 UTC 
This issue has been fixed a long time ago and probably should have been included in GLSA 200812-17.
However, taking rbu's statement into consideration, I certainly think this is not worth an extra GLSA, too, so closing as noglsa.