69985 – dev-lang/ruby: CGI DoS issue (CAN-2004-0983)

Bug 69985 - dev-lang/ruby: CGI DoS issue (CAN-2004-0983)

Summary: dev-lang/ruby: CGI DoS issue (CAN-2004-0983)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2004-11-03 15:33 UTC by Kurt Lieber (RETIRED)
Modified:	2007-06-24 23:36 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kurt Lieber (RETIRED) gentoo-dev

2004-11-03 15:33:49 UTC

marking this as private for now.  
-----Forwarded Message-----
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby
Date: Wed, 03 Nov 2004 09:20:37 +0100

Moin everybody!

I don't know if some of you are also shipping a version of ruby
in your distributions.  We have received a report that the upstream
developers have corrected a problem that could be triggered remotely
and cause an infinite loop on the server, since it's the CGI module.

The patch is here:
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.23.2.17&r2=1.23.2.18

This problem is semi-public already (upstream cvs, Debian packages),
it may not be too useful to try a coordinated release, but if you
would like to, I could postpone the advisory a bit.

Comment 1 Kurt Lieber (RETIRED) gentoo-dev

2004-11-03 15:35:04 UTC

ruby folks, could you please have a look at this?  Adding usata as an explicit CC since I'm not sure he can see the bug, otherwise.

Comment 2 Kurt Lieber (RETIRED) gentoo-dev

2004-11-04 04:55:50 UTC

Adding xavier so he can see the bug.

Comment 3 Mamoru KOMACHI (RETIRED) gentoo-dev

2004-11-04 06:32:30 UTC

I'll look into this problem (I get bugzilla mail from ruby alias).

Comment 4 solar (RETIRED) gentoo-dev

2004-11-04 09:05:42 UTC

But now you can't see this bug or comment here anymore.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2004-11-05 05:24:45 UTC

Putting individual names rather than aliases.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-08 22:36:56 UTC

Debian published http://www.debian.org/security/2004/dsa-586. 

Ruby please provide a fixed ebuild.

Comment 7 Mamoru KOMACHI (RETIRED) gentoo-dev

2004-11-09 08:17:33 UTC

Thanks for readding me to this bug (I was not aware
that I was not able to revisit security bug).

I added ruby-1.6.8-r12 on 5 Nov, and agriffis added 
ruby-1.8.2_pre3 yesterday. Both versions contain the
fix by ruby upstream. I could make patched revisions
of <=ruby-1.8.2_pre2, but I would rather ask arch
devs to test 1.6.8-r12 and ruby-1.8.2_pre3 and mark
them stable.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-09 10:58:38 UTC

Arches please mark ruby-1.6.8-r1 and ruby-1.8.2_pre3 stable.

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2004-11-09 11:33:58 UTC

I cannot mark stable on ppc64: Won't compile:  [...] ./mkconfig.rb:142: syntax error [...]  Markus

Comment 10 Mamoru KOMACHI (RETIRED) gentoo-dev

2004-11-09 12:33:21 UTC

Do you have cjk in USE?

Comment 11 Ferris McCormick (RETIRED) gentoo-dev

2004-11-09 12:36:47 UTC

1.8.2_pre3 stable for sparc.  I cannot comment on 1.6.8-r1.

Comment 12 Simon Stelling (RETIRED) gentoo-dev

2004-11-09 12:59:18 UTC

1.8.2_pre3 and 1.6.8-r12 stable on amd64

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-09 23:08:39 UTC

This is keyworded for ppc-macos, but that's not the arch alias. CC'ing kito and ndimiduk

Comment 14 Jochen Maes (RETIRED) gentoo-dev

2004-11-09 23:39:01 UTC

stable on ppc (both)

greets

Comment 15 Bryan Østergaard (RETIRED) gentoo-dev

2004-11-10 01:42:34 UTC

Stable on alpha.

Comment 16 Markus Rothe (RETIRED) gentoo-dev

2004-11-10 05:51:14 UTC

mhh.. mysterious.. I cannot reprocedure that error again. dev-lang/ruby-1.8.2_pre3 is now stable on ppc64.

Comment 17 Kito (RETIRED) gentoo-dev

2004-11-10 08:34:15 UTC

stable on ppc-macos.

Comment 18 Ferris McCormick (RETIRED) gentoo-dev

2004-11-11 05:06:31 UTC

1.6.8-r12 is also stable for sparc.  Builds, installs, and runs test cases as expected.

Comment 19 Olivier Crete (RETIRED) gentoo-dev

2004-11-11 07:34:44 UTC

x86 there

Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-11 07:37:51 UTC

security, pls vote on GLSA (since this is rated B3)

/me votes for a GLSA

at least Debian, Mandrake and Ubuntu have published advisories already

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-11 08:20:31 UTC

I vote for a GLSA too.

Comment 22 Hardave Riar (RETIRED) gentoo-dev

2004-11-14 23:22:17 UTC

Stable on mips.

Comment 23 Thierry Carrez (RETIRED) gentoo-dev

2004-11-15 02:01:46 UTC

I vote YES too

Comment 24 Thierry Carrez (RETIRED) gentoo-dev

2004-11-16 02:01:03 UTC

GLSA 200411-23
arm hppa ia64: please mark stable to benefit from GLSA

Comment 25 Thierry Carrez (RETIRED) gentoo-dev

2004-11-16 02:03:40 UTC

s390 should also mark 1.8.2_pre3 stable

Ruby team : please clean up old vulnerable versions...