Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 96784

Summary: dev-lang/ruby XMLRPC Server Arbitrary Command Execution (CAN-2005-1992)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ppc-macos, ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://secunia.com/advisories/15767/
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ruby-1.8.2-client.diff
none
ruby-1.8.2-utils.diff none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-22 07:10:19 UTC
Nobuhiro IMAI has reported a vulnerability in Ruby, which potentially can be exploited by malicious people to bypass certain security restrictions.
 
 The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server.
 
 The vulnerability has been reported in version 1.8.2. Prior versions may also be affected.

Solution:
The vulnerability has been fixed in the CVS repository.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-22 08:42:35 UTC
Ruby herd, please have a look...
Comment 2 Rob Cakebread (RETIRED) gentoo-dev 2005-06-22 09:37:18 UTC
Created attachment 61727 [details, diff]
ruby-1.8.2-client.diff
Comment 3 Rob Cakebread (RETIRED) gentoo-dev 2005-06-22 09:39:13 UTC
Created attachment 61728 [details, diff]
ruby-1.8.2-utils.diff

Here are patches I made after looking at Ruby's CVS changelog. Since the bug
details are vague, I'm not sure if it fixes the problem. Please advise.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-22 10:25:56 UTC
Rob, is upstream preparing a new version to fix this? 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-26 11:33:04 UTC
Rob: patch reference corresponds to the bug, looks ok to me. Please bump Ruby
with the patch, since apparently upstream is in no hurry to release a new
version for that.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-29 14:09:04 UTC
===========================================================
Ubuntu Security Notice USN-146-1	      June 29, 2005
ruby1.8 vulnerability
CAN-2005-1992
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libxmlrpc-ruby1.8
ruby1.8

Details follow:

Nobuhiro IMAI discovered that the changed default value of the
Module#public_instance_methods() method broke the security protection
of XMLRPC server handlers. A remote attacker could exploit this to
execute arbitrary commands on an XMLRPC server.

Updated packages for Ubuntu 4.10:

  Source archives:
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.2.diff.gz
      Size/MD5:   154525 13e3897dc3c2e5a2b8d57ea6ad63d121
    
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2005-06-30 08:50:14 UTC
After looking at the links, I'm not sure that the client.rb patch is part of 
this but, but it looks like the *-utils.diff patch IS the fix. 
Comment 8 Jean-Fran├žois Brunette (RETIRED) gentoo-dev 2005-07-08 17:11:44 UTC
Could someone bump ruby with the patch please?
Comment 9 Caleb Tennis (RETIRED) gentoo-dev 2005-07-09 09:38:49 UTC
Bumped as ruby-1.8.2-r2.ebuild  
  
Left all of the arches the same as it's a very minimal patch and is in ruby  
code which shouldn't affect anybody.  
 
ppc-macos needs to bump to stable, though. 
 
According to http://www.ruby-lang.org/en/20050701.html, the fix had already 
been put into the 1.8 branch and cvs head, so ruby-1.8.3_pre1 shouldn't be 
affected. 
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-09 11:52:38 UTC
thanks caleb

ppc-macos, pls test and mark ruby-1.8.2-r2.ebuild stable if possible

(going directly to glsa status, since stable keywords exist for all supported
arches)
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-07-11 07:52:08 UTC
Thx everyone, GLSA 200507-10 is out
mips / ppc-macos : please mark stable to benefit from GLSA
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-10-01 17:37:11 UTC
Later version stable.