Nobuhiro IMAI has reported a vulnerability in Ruby, which potentially can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server.
The vulnerability has been reported in version 1.8.2. Prior versions may also be affected.
The vulnerability has been fixed in the CVS repository.
Ruby herd, please have a look...
Created attachment 61727 [details, diff]
Created attachment 61728 [details, diff]
Here are patches I made after looking at Ruby's CVS changelog. Since the bug
details are vague, I'm not sure if it fixes the problem. Please advise.
Rob, is upstream preparing a new version to fix this?
Rob: patch reference corresponds to the bug, looks ok to me. Please bump Ruby
with the patch, since apparently upstream is in no hurry to release a new
version for that.
Ubuntu Security Notice USN-146-1 June 29, 2005
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
Nobuhiro IMAI discovered that the changed default value of the
Module#public_instance_methods() method broke the security protection
of XMLRPC server handlers. A remote attacker could exploit this to
execute arbitrary commands on an XMLRPC server.
Updated packages for Ubuntu 4.10:
Size/MD5: 154525 13e3897dc3c2e5a2b8d57ea6ad63d121
After looking at the links, I'm not sure that the client.rb patch is part of
this but, but it looks like the *-utils.diff patch IS the fix.
Could someone bump ruby with the patch please?
Bumped as ruby-1.8.2-r2.ebuild
Left all of the arches the same as it's a very minimal patch and is in ruby
code which shouldn't affect anybody.
ppc-macos needs to bump to stable, though.
According to http://www.ruby-lang.org/en/20050701.html, the fix had already
been put into the 1.8 branch and cvs head, so ruby-1.8.3_pre1 shouldn't be
ppc-macos, pls test and mark ruby-1.8.2-r2.ebuild stable if possible
(going directly to glsa status, since stable keywords exist for all supported
Thx everyone, GLSA 200507-10 is out
mips / ppc-macos : please mark stable to benefit from GLSA
Later version stable.