Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200507-10 ] Ruby: Arbitrary command execution through XML-RPC
Date: Mon, 11 Jul 2005 14:55:25
Message-Id: 42D28560.1050709@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200507-10
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Ruby: Arbitrary command execution through XML-RPC
9 Date: July 11, 2005
10 Bugs: #96784
11 ID: 200507-10
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in XMLRPC.iPIMethods allows remote attackers to execute
19 arbitrary commands.
20
21 Background
22 ==========
23
24 Ruby is an interpreted scripting language for quick and easy
25 object-oriented programming. XML-RPC is a remote procedure call
26 protocol encoded in XML.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-lang/ruby < 1.8.2-r2 >= 1.8.2-r2
35
36 Description
37 ===========
38
39 Nobuhiro IMAI reported that an invalid default value in "utils.rb"
40 causes the security protections of the XML-RPC server to fail.
41
42 Impact
43 ======
44
45 A remote attacker could exploit this vulnerability to execute arbitrary
46 commands.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All Ruby users should upgrade to the latest available version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2-r2"
60
61 References
62 ==========
63
64 [ 1 ] CAN-2005-1992
65 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1992
66 [ 2 ] Ruby Security Announcement
67 http://www.ruby-lang.org/en/20050701.html
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-200507-10.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 http://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2005 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature