| Summary: | <dev-ruby/rack-{1.1.6,1.2.8,1.3.10,1.4.5}: Insecure File Access Security Issue and Information Disclosure Security Issue (CVE-2013-{0262,0263}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/52033/ | ||
| Whiteboard: | B1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2013-02-08 15:22:22 UTC
and from: https://secunia.com/advisories/52134/ Description A security issue has been reported in Rack, which can be exploited by malicious people to disclose potentially sensitive information. The security issue is caused due to the application checking cookie data in an insecure manner, which can be exploited to disclose potentially sensitive information via timing attack. NOTE: This can further be exploited to execute arbitrary code. The security issue is reported in versions prior to 1.1.6, 1.2.8, 1.3.10, 1.4.5, and 1.5.2. Solution Update to version 1.1.6, 1.2.8, 1.3.10, 1.4.5, or 1.5.2. Provided and/or discovered by Reported by the vendor. Original Advisory https://groups.google.com/forum/#!msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ Fixed versions are now in the tree (we don't have the 1.5 series in tree yet): =dev-ruby/rack-1.1.6 =dev-ruby/rack-1.2.8 =dev-ruby/rack-1.3.10 =dev-ruby/rack-1.4.5 (In reply to comment #2) > Fixed versions are now in the tree (we don't have the 1.5 series in tree > yet): > > =dev-ruby/rack-1.1.6 > =dev-ruby/rack-1.2.8 > =dev-ruby/rack-1.3.10 > =dev-ruby/rack-1.4.5 Thanks, Hans. Arches, please test and mark stable. ppc stable ppc64 stable amd64 stable x86 stable CVE-2013-0263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0263): Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. CVE-2013-0262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0262): rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." Request filed. This issue was resolved and addressed in GLSA 201405-10 at http://security.gentoo.org/glsa/glsa-201405-10.xml by GLSA coordinator Sean Amoss (ackle). |
