Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 96784 - dev-lang/ruby XMLRPC Server Arbitrary Command Execution (CAN-2005-1992)
Summary: dev-lang/ruby XMLRPC Server Arbitrary Command Execution (CAN-2005-1992)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
Depends on:
Reported: 2005-06-22 07:10 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-10-01 17:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

ruby-1.8.2-client.diff (ruby-1.8.2-client.diff,2.83 KB, patch)
2005-06-22 09:37 UTC, Rob Cakebread (RETIRED)
no flags Details | Diff
ruby-1.8.2-utils.diff (ruby-1.8.2-utils.diff,979 bytes, patch)
2005-06-22 09:39 UTC, Rob Cakebread (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-22 07:10:19 UTC
Nobuhiro IMAI has reported a vulnerability in Ruby, which potentially can be exploited by malicious people to bypass certain security restrictions.
 The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server.
 The vulnerability has been reported in version 1.8.2. Prior versions may also be affected.

The vulnerability has been fixed in the CVS repository.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-22 08:42:35 UTC
Ruby herd, please have a look...
Comment 2 Rob Cakebread (RETIRED) gentoo-dev 2005-06-22 09:37:18 UTC
Created attachment 61727 [details, diff]
Comment 3 Rob Cakebread (RETIRED) gentoo-dev 2005-06-22 09:39:13 UTC
Created attachment 61728 [details, diff]

Here are patches I made after looking at Ruby's CVS changelog. Since the bug
details are vague, I'm not sure if it fixes the problem. Please advise.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-22 10:25:56 UTC
Rob, is upstream preparing a new version to fix this? 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-26 11:33:04 UTC
Rob: patch reference corresponds to the bug, looks ok to me. Please bump Ruby
with the patch, since apparently upstream is in no hurry to release a new
version for that.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-29 14:09:04 UTC
Ubuntu Security Notice USN-146-1	      June 29, 2005
ruby1.8 vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:


Details follow:

Nobuhiro IMAI discovered that the changed default value of the
Module#public_instance_methods() method broke the security protection
of XMLRPC server handlers. A remote attacker could exploit this to
execute arbitrary commands on an XMLRPC server.

Updated packages for Ubuntu 4.10:

  Source archives:
      Size/MD5:   154525 13e3897dc3c2e5a2b8d57ea6ad63d121
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2005-06-30 08:50:14 UTC
After looking at the links, I'm not sure that the client.rb patch is part of 
this but, but it looks like the *-utils.diff patch IS the fix. 
Comment 8 Jean-François Brunette (RETIRED) gentoo-dev 2005-07-08 17:11:44 UTC
Could someone bump ruby with the patch please?
Comment 9 Caleb Tennis (RETIRED) gentoo-dev 2005-07-09 09:38:49 UTC
Bumped as ruby-1.8.2-r2.ebuild  
Left all of the arches the same as it's a very minimal patch and is in ruby  
code which shouldn't affect anybody.  
ppc-macos needs to bump to stable, though. 
According to, the fix had already 
been put into the 1.8 branch and cvs head, so ruby-1.8.3_pre1 shouldn't be 
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-09 11:52:38 UTC
thanks caleb

ppc-macos, pls test and mark ruby-1.8.2-r2.ebuild stable if possible

(going directly to glsa status, since stable keywords exist for all supported
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-07-11 07:52:08 UTC
Thx everyone, GLSA 200507-10 is out
mips / ppc-macos : please mark stable to benefit from GLSA
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-10-01 17:37:11 UTC
Later version stable.