Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 153497 - dev-lang/ruby cgi.rb is vulnerable to a remote DoS (CVE-2006-5467)
Summary: dev-lang/ruby cgi.rb is vulnerable to a remote DoS (CVE-2006-5467)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] aetius
Depends on:
Reported: 2006-10-30 17:10 UTC by Matt Drew (RETIRED)
Modified: 2019-12-29 11:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-10-30 17:10:01 UTC
This apparently is a rehash of bug #69985 - the fix was apparently not complete.  The new CVE is 2006-5467:
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 03:17:32 UTC

ruby herd, pls provide an ebuild with the patch
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-07 07:43:59 UTC
1.8.5-r3 in portage, have a nice day.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-07 08:31:47 UTC
arches, please test ruby-1.8.5-r3 and mark stable if possible
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2006-11-07 10:54:40 UTC
sparc is stable, but I'm leaving it in the CC list because of also ~sparc-fbsd, which I cannot test.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-07 10:57:40 UTC
No need for that since sparc-fbsd hasn't got any stable yet.
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2006-11-07 11:17:54 UTC
Thanks for that information.
Comment 7 Markus Meier gentoo-dev 2006-11-07 11:21:59 UTC
dev-lang/ruby-1.8.5-r3  USE="ipv6 threads -cjk -debug -doc -examples -socks5 -tk"
1. emerges on x86, please note: dodoc: MANIFEST does not exist
2. passes collision test
3. fails test suite:
  1) Failure:
test_endblockwarn(TestBeginEndBlock) [./ruby/test_beginendblock.rb:54]:
<"endblockwarn.rb:2: warning: END in method; use at_exit\n(eval):2: warning: END in method; use at_exit\n"> expected but was
<"/var/tmp/portage/ruby-1.8.5-r3/temp/TestBeginEndBlock.19074.0:6: warning: Insecure world writable dir /var/tmp, mode 041777\nendblockwarn.rb:2: warning: END in method; use at_exit\n(eval):2: warning: END in method; use at_exit\n">.

please note, if it isn't an update, a new emerge of ruby a lot of tests fail:
1575 tests, 15553 assertions, 3 failures, 50 errors
is this expected?

4. subversion with USE="ruby" emerges with it

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Tue, 07 Nov 2006 17:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Comment 8 Alexander Færøy 2006-11-07 14:13:43 UTC
Stable on alpha.
Comment 9 Joshua Jackson (RETIRED) gentoo-dev 2006-11-07 21:30:32 UTC
x86 is stable, guess I should be going yay to something I use using this..actively.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 23:45:11 UTC
ppc stable
Comment 11 Danny van Dyk (RETIRED) gentoo-dev 2006-11-08 11:22:38 UTC
Tests show 7 failures in 1.8.5-r3 on amd64, but latest stable (1.8.5) has the
very same failures. No regression, no reason to not mark stable.
=> amd64 love applied.

Flameeyes: Those test failures seem to be installation dependent, as it tries
a) access ruby in $ROOT, and not under the work directory,
b) complain about the work directory be insecure due to permissions.

Poke me if you want a bugreport for it.
Comment 12 René Nussbaumer (RETIRED) gentoo-dev 2006-11-13 12:10:16 UTC
stable on hppa
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2006-11-15 05:01:02 UTC
ppc64 stable
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-15 13:17:59 UTC
lets have a GLSA for this one even though B3 would call for a vote, but there is a draft already
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 11:55:13 UTC
Thx everyone.

GLSA 200611-12