Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212264 (CVE-2008-1145) - dev-lang/ruby <1.8.6_p114 NondisclosureName discloses files on case-insensitive FS (CVE-2008-1145)
Summary: dev-lang/ruby <1.8.6_p114 NondisclosureName discloses files on case-insensiti...
Status: RESOLVED FIXED
Alias: CVE-2008-1145
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ruby-lang.org/en/news/2008...
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-04 11:35 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-06 21:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 11:35:13 UTC 
WEBrick, a standard library of Ruby to implement HTTP servers, does a case sensitive match on the :NondisclosureName when accessing files, which will (in the default configuration) disclose files with the file names [".ht*", "*~"] that are on insensitive filesystems (FAT, NTFS, HFS).

Fixed in:
  1.8.5-p115
  1.8.6-p114

Patch for 1.9:
  ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff
Comment 1 Richard Brown (RETIRED) gentoo-dev 2008-03-05 11:38:03 UTC 
dev-lang/ruby-1.8.6_p114 is now in the tree, I've removed 1.8.5 and 1.8.4
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 11:50:08 UTC 
Thanks, Richard.

Arches, please test and mark stable:
=dev-lang/ruby-1.8.6_p114
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Comment 3 Brent Baude (RETIRED) gentoo-dev 2008-03-05 14:04:14 UTC 
ppc64 done
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-03-05 14:11:19 UTC 
Sparc stable.  So far, all as expected.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-05 18:01:46 UTC 
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-03-05 18:19:47 UTC 
alpha/ia64 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 20:37:30 UTC 
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-06 11:57:20 UTC 
Stable for HPPA.
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2008-03-06 13:45:18 UTC 
amd64 stable
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 18:20:44 UTC 
Fixed in release snapshot.
Comment 11 Tomas Hoger 2008-03-10 08:10:54 UTC 
CVE-2008-1145 was assigned to this issue.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-11 18:30:49 UTC 
All supported arches done, ready for vote.

I vote NO.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 21:47:55 UTC 
No too, and closing.