Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 219085 (CVE-2008-1891) - dev-lang/ruby NTFS/FAT file disclosure (CVE-2008-1891)
Summary: dev-lang/ruby NTFS/FAT file disclosure (CVE-2008-1891)
Status: RESOLVED FIXED
Alias: CVE-2008-1891
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/webr...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 225465
Blocks:
  Show dependency tree
 
Reported: 2008-04-23 22:09 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-04 19:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:09:05 UTC 
CVE-2008-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1891):
  Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when
  using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI
  files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4)
  %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly
  related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new
  functionality and the :DocumentRoot option.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:34:12 UTC 
serving files off of fat32 is just bad, but I believe we should handle this as a low priority issue.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-04 19:09:05 UTC 
This issue has been fixed a long time ago and probably should have been included in GLSA 200812-17.
However, taking rbu's statement into consideration, I certainly think this is not worth an extra GLSA, too, so closing as noglsa.