Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 69985

Summary: dev-lang/ruby: CGI DoS issue (CAN-2004-0983)
Product: Gentoo Security Reporter: Kurt Lieber (RETIRED) <klieber>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: neysx, ruby, usata
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Kurt Lieber (RETIRED) gentoo-dev 2004-11-03 15:33:49 UTC
marking this as private for now.  
-----Forwarded Message-----
From: Martin Schulze <>
Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby
Date: Wed, 03 Nov 2004 09:20:37 +0100

Moin everybody!

I don't know if some of you are also shipping a version of ruby
in your distributions.  We have received a report that the upstream
developers have corrected a problem that could be triggered remotely
and cause an infinite loop on the server, since it's the CGI module.

The patch is here:

This problem is semi-public already (upstream cvs, Debian packages),
it may not be too useful to try a coordinated release, but if you
would like to, I could postpone the advisory a bit.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-11-03 15:35:04 UTC
ruby folks, could you please have a look at this?  Adding usata as an explicit CC since I'm not sure he can see the bug, otherwise.
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-11-04 04:55:50 UTC
Adding xavier so he can see the bug.
Comment 3 Mamoru KOMACHI (RETIRED) gentoo-dev 2004-11-04 06:32:30 UTC
I'll look into this problem (I get bugzilla mail from ruby alias).
Comment 4 solar (RETIRED) gentoo-dev 2004-11-04 09:05:42 UTC
But now you can't see this bug or comment here anymore.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 05:24:45 UTC
Putting individual names rather than aliases.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-08 22:36:56 UTC
Debian published 

Ruby please provide a fixed ebuild.
Comment 7 Mamoru KOMACHI (RETIRED) gentoo-dev 2004-11-09 08:17:33 UTC
Thanks for readding me to this bug (I was not aware
that I was not able to revisit security bug).

I added ruby-1.6.8-r12 on 5 Nov, and agriffis added 
ruby-1.8.2_pre3 yesterday. Both versions contain the
fix by ruby upstream. I could make patched revisions
of <=ruby-1.8.2_pre2, but I would rather ask arch
devs to test 1.6.8-r12 and ruby-1.8.2_pre3 and mark
them stable.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-09 10:58:38 UTC
Arches please mark ruby-1.6.8-r1 and ruby-1.8.2_pre3 stable.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2004-11-09 11:33:58 UTC
I cannot mark stable on ppc64: Won't compile:  [...] ./mkconfig.rb:142: syntax error [...]  Markus
Comment 10 Mamoru KOMACHI (RETIRED) gentoo-dev 2004-11-09 12:33:21 UTC
Do you have cjk in USE?
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2004-11-09 12:36:47 UTC
1.8.2_pre3 stable for sparc.  I cannot comment on 1.6.8-r1.
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2004-11-09 12:59:18 UTC
1.8.2_pre3 and 1.6.8-r12 stable on amd64
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-09 23:08:39 UTC
This is keyworded for ppc-macos, but that's not the arch alias. CC'ing kito and ndimiduk 
Comment 14 Jochen Maes (RETIRED) gentoo-dev 2004-11-09 23:39:01 UTC
stable on ppc (both)

Comment 15 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-11-10 01:42:34 UTC
Stable on alpha.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2004-11-10 05:51:14 UTC
mhh.. mysterious.. I cannot reprocedure that error again. dev-lang/ruby-1.8.2_pre3 is now stable on ppc64.
Comment 17 Kito (RETIRED) gentoo-dev 2004-11-10 08:34:15 UTC
stable on ppc-macos.

Comment 18 Ferris McCormick (RETIRED) gentoo-dev 2004-11-11 05:06:31 UTC
1.6.8-r12 is also stable for sparc.  Builds, installs, and runs test cases as expected.
Comment 19 Olivier Crete (RETIRED) gentoo-dev 2004-11-11 07:34:44 UTC
x86 there
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-11 07:37:51 UTC
security, pls vote on GLSA (since this is rated B3)

/me votes for a GLSA

at least Debian, Mandrake and Ubuntu have published advisories already

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-11 08:20:31 UTC
I vote for a GLSA too.
Comment 22 Hardave Riar (RETIRED) gentoo-dev 2004-11-14 23:22:17 UTC
Stable on mips.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-11-15 02:01:46 UTC
I vote YES too
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-11-16 02:01:03 UTC
GLSA 200411-23
arm hppa ia64: please mark stable to benefit from GLSA
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2004-11-16 02:03:40 UTC
s390 should also mark 1.8.2_pre3 stable

Ruby team : please clean up old vulnerable versions...