| Summary: | dev-lang/ruby libruby1.8: CGI::Session creates files insecurely | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | phil, usata |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=260779 | ||
| Whiteboard: | B4 [glsa] jaervosz | ||
| Package list: | Runtime testing required: | --- | |
Mamoru this seems to affect the versions in portage will you look into it and provide an updated ebuild if necessary? For more information read: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=260779 I personally use Ruby for web development and stumpled over this by myself. Shell users could read all the session data. This by itself is not a security hole, as I could choose which data to save, but still it allows an attacker to gather the information which is stored in the end. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/23952 contains a patch for this problem. I would propose a severity increase, as Debian put out DSA 537-1 with CAN-2004-0755 assigned addressing this issue, please react please fix also the 1.8.1 tree currently in stable. Thank you. Thanks to the pointers, Philipp. As for the patch, ruby-1.8.2_pre2 includes it. Also, I added ruby-1.6.8-r11 yesterday, which is a snapshot of 20040727 and contains a fix for the bug. However, ruby-1.8.0 is the last version which compiles on ia64 (bug #48824), so I'll make ruby-1.8.0-r7 with the patch tonight. After that, I'll open a bug to let arch maintainers mark ruby-1.6.8-r11, ruby-1.8.0-r7 and ruby-1.8.2_pre2 stable. Mamoru just post on this bug what needs to be marked stable and cc the relevant arches. okay. All arch devs, due to the security issue described on this bug, the following ebuilds need to be marked stable. (I've just marked them stable on x86) * dev-lang/ruby-1.6.8-r11 * dev-lang/ruby-1.8.0-r7 (for ia64) * dev-lang/ruby-1.8.2_pre2 * dev-ruby/ruby-config-0.3 (dependency of ruby-1.8.2_pre2) Please test and mark them stable. Thanks in advance. Correcting whiteboard to stable. stable on ppc Stable on alpha. Stable on sparc marked arm/hppa stable stable on amd64 Security this seems to be a B4 please vote on GLSA I think we need one. It's an information leak, but it's a very interesting one. And Debian did one :) GLSA 200409-08 ia64, mips, ppc, s390 please mark stable to benifit from GLSA. 1.8.2_pre2 marked stable on ppc64, thanks! Stable on mips. |
From Debian bug: Version: 1.8.1+1.8.2pre1-3 Severity: grave Tags: security upstream Justification: user security hole Hi, I just noticed that CGI::Session's FileStore (and presumably PStore) implementations store session information insecurely. They simply create files, ignoring permission issues. I assume the only thing affecting permissions is the value of umask. For both my user, as well as www-data, session files end up in /tmp with permission 0644. This is quite bad; an unsuspecting user might be storing sensitive information in session variables, assuming that the class stores data securely. The following script illustrates the problem: #!/usr/bin/ruby -w require 'cgi' require 'cgi/session' cgi = CGI.new('html4') session = CGI::Session.new(cgi, 'prefix' => 'blah_') Kernel.system("ls -l " + Dir.glob("/tmp/blah_*").join(" "))