Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 300468 (CVE-2009-4492) - <dev-lang/ruby-{1.8.6_p388, 1.8.7_p249, 1.9.1_p378} webrick missing terminal escaping (CVE-2009-4492)
Summary: <dev-lang/ruby-{1.8.6_p388, 1.8.7_p249, 1.9.1_p378} webrick missing terminal ...
Status: RESOLVED FIXED
Alias: CVE-2009-4492
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.ruby-lang.org/en/news/2010...
Whiteboard: 1.8.x: A3? [glsa] 1.9.x.: ~3? [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-10 16:49 UTC by Alex Legler (RETIRED)
Modified: 2010-05-01 10:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-10 16:49:57 UTC
From $URL:
A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.
[...]
Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various weaknesses in terminal emulators.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-10 22:08:41 UTC
Arches, please test and mark stable:
=app-admin/eselect-ruby-20091225
=dev-lang/ruby-1.8.6_p388
=dev-lang/ruby-1.8.7_p249
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-11 13:12:44 UTC
x86 stable
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-11 13:15:03 UTC
x86 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-01-11 16:10:42 UTC
ppc and ppc64 done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-12 17:57:13 UTC
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-01-13 19:26:39 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-13 19:37:31 UTC
amd64 stable
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-13 19:50:20 UTC
YES.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-13 20:41:29 UTC
Removed vulnerable ebuilds, GLSA draft filed.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-14 07:49:26 UTC
CVE-2009-4492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4492):
  WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through
  patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev
  writes data to a log file without sanitizing non-printable
  characters, which might allow remote attackers to modify a window's
  title, or possibly execute arbitrary commands or overwrite files, via
  an HTTP request containing an escape sequence for a terminal emulator.

Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-14 15:08:17 UTC
GLSA 201001-09 for Ruby 1.8.x.

Ruby 1.9.1 is hardmasked and suffering from a regression that needs to be addressed. Keeping the bug open until it is fixed.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-01 10:36:34 UTC
1.9.1-p376 is in the tree.
1.9.x is masked and was never stable. Closing.