Debian Bug report logs - #315064
libruby1.8: arbitrary command execution on XMLRPC server

Package: libruby1.8; Maintainer for libruby1.8 is akira yamada <akira@debian.org>; Source for libruby1.8 is src:ruby1.8.

Reported by: Nobuhiro IMAI <nov@yo.rim.or.jp>

Date: Mon, 20 Jun 2005 11:18:09 UTC

Severity: grave

Tags: fixed-upstream, security

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to akira yamada <akira@debian.org>:
Bug#315064; Package libruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Nobuhiro IMAI <nov@yo.rim.or.jp>:
New Bug report received and forwarded. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #5 received at maintonly@bugs.debian.org (full text, mbox):

From: Nobuhiro IMAI <nov@yo.rim.or.jp>
To: Debian Ruby Maintainers <maintonly@bugs.debian.org>
Subject: libruby1.8: arbitrary command execution on XMLRPC server
Date: Mon, 20 Jun 2005 20:16:25 +0900 (JST)
[Message part 1 (text/plain, inline)]
Package: libruby1.8
Version: 1.8.2-7
Severity: grave
Tags: security fixed-upstream

Please consider about this issue[1]. This has already been fixed on
upstream CVS r1.4[2][3], however, I don't have certain idea whether I
should treat this issue as a security issue or normal (but grave ;)
bug within Debian, so that I'm sending this report to maintonly@bugs
at this time. If this should be treated as a security issue, please do
as such or let me know what can I do. Anyway, I'd like new packages to
be uploaded to security.d.o's sarge/updates (or similar) as well.

 1. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
 2. http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/xmlrpc/utils.rb.diff?r1=1.3;r2=1.4
 3. libruby1.9 (1.9.0+20050412-3) is also problematic.


Regards,
--
Nobuhiro IMAI <nov@yo.rim.or.jp>
Key fingerprint = F39E D552 545D 7C64 D690  F644 5A15 746C BD8E 7106
[Message part 2 (application/pgp-signature, inline)]

Reply sent to akira yamada <akira@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nobuhiro IMAI <nov@yo.rim.or.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 315064-close@bugs.debian.org (full text, mbox):

From: akira yamada <akira@debian.org>
To: 315064-close@bugs.debian.org
Subject: Bug#315064: fixed in ruby1.8 1.8.2-7sarge1
Date: Sun, 10 Jul 2005 09:32:05 -0400
Source: ruby1.8
Source-Version: 1.8.2-7sarge1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.2-7sarge1_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.2-7sarge1_all.deb
libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
libruby1.8-dbg_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge1_i386.deb
libruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.2-7sarge1_i386.deb
libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
rdoc1.8_1.8.2-7sarge1_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge1_all.deb
ri1.8_1.8.2-7sarge1_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.2-7sarge1_all.deb
ruby1.8-dev_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge1_i386.deb
ruby1.8-elisp_1.8.2-7sarge1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge1_all.deb
ruby1.8-examples_1.8.2-7sarge1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge1_all.deb
ruby1.8_1.8.2-7sarge1.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1.diff.gz
ruby1.8_1.8.2-7sarge1.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1.dsc
ruby1.8_1.8.2-7sarge1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315064@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
akira yamada <akira@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  8 Jul 2005 19:26:04 +0900
Source: ruby1.8
Binary: libtcltk-ruby1.8 libruby1.8-dbg rdoc1.8 libgdbm-ruby1.8 ruby1.8-dev ruby1.8-elisp ruby1.8-examples libdbm-ruby1.8 irb1.8 ruby1.8 libreadline-ruby1.8 libopenssl-ruby1.8 libruby1.8 ri1.8
Architecture: source i386 all
Version: 1.8.2-7sarge1
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: akira yamada <akira@debian.org>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging libraries for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 315064
Changes: 
 ruby1.8 (1.8.2-7sarge1) stable-security; urgency=high
 .
   * akira yamada <akira@debian.org>
   - added debian/patches/802_xmlrpc_util.rb.patch:
       - (urgency high) fixed arbitrary command execution on XMLRPC server.
         CAN-2005-1992 [ruby-core:5237] (closes: #315064)
Files: 
 d14377473cdeb0a26538b6137faa5c66 1024 interpreters optional ruby1.8_1.8.2-7sarge1.dsc
 25de3bdf1775f90246f76e50a6aba24a 529167 interpreters optional ruby1.8_1.8.2-7sarge1.diff.gz
 09a9272d40c33d8405609c0e0ce9f6ff 151160 interpreters optional ruby1.8_1.8.2-7sarge1_i386.deb
 1ee770bca87a88e399c8c4f77a3ccfdf 1349126 libs optional libruby1.8_1.8.2-7sarge1_i386.deb
 1c4eacc0d440daf346b9840ff4906a02 757634 libdevel extra libruby1.8-dbg_1.8.2-7sarge1_i386.deb
 5ff7f6069562d4552425b42d5f36a44b 621934 devel optional ruby1.8-dev_1.8.2-7sarge1_i386.deb
 e3bd1cfa5f649d7a20bb51ef66a348de 134530 interpreters optional libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
 9d2429dc457718bd993150d535b72992 135784 interpreters optional libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
 3b90f35710b1f797ca33ec942bbdc061 131534 interpreters optional libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
 16ebd5860eb7ce78e2c5207269abd1ae 1439660 interpreters optional libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
 3b87ea10a0cc9caebc2fdb6b57298dae 224488 interpreters optional libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
 b08d57bed7996624c1a601e866329fc0 216196 interpreters optional ruby1.8-examples_1.8.2-7sarge1_all.deb
 bcf34b40ab001265127728099452f800 142196 interpreters optional ruby1.8-elisp_1.8.2-7sarge1_all.deb
 f9004f2fedac63615c50bf6dab046fda 704400 interpreters optional ri1.8_1.8.2-7sarge1_all.deb
 47a6c5a62e9f73f4a34d04824874bc99 234004 doc optional rdoc1.8_1.8.2-7sarge1_all.deb
 60511fe4d9427eaf5a1d8df2ecba2e36 166072 interpreters optional irb1.8_1.8.2-7sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzln5XzkxpuIT8aARAglLAJ9RWfpmOXwmhiwKF75KoJ/nY+qzIACcC6zy
PbjLNtbjkD4SdQtEK1Nb1qo=
=/bpB
-----END PGP SIGNATURE-----




Bug marked as fixed in version 1.8.4-2, send any further explanations to Nobuhiro IMAI <nov@yo.rim.or.jp> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `libruby1.8' to `libruby1.8'. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 12:45:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:50:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.