Debian Bug report logs - #398457
CVE-2006-5467: Ruby "cgi.rb" Denial of Service Vulnerability

version graph

Package: libruby1.8; Maintainer for libruby1.8 is akira yamada <akira@debian.org>; Source for libruby1.8 is src:ruby1.8.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 13 Nov 2006 21:48:19 UTC

Severity: important

Tags: security

Fixed in version 1.8.5-3

Done: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, akira yamada <akira@debian.org>:
Bug#398457; Package libruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-5467: Ruby "cgi.rb" Denial of Service Vulnerability
Date: Mon, 13 Nov 2006 22:35:57 +0100
Package: libruby1.8
Version: 1.8.5-3
Severity: grave
Tags: security
Justification: user security hole


A vulnerability has been found in ruby's cgi.rb (or rather
a previous fix was incomplete). From CVE-2006-5467:

The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a
dneial of service (infinite loop and CPU consumption) via an HTTP
request with a multipart MIME body that contains an invalid boundary
specifier, as demonstrated using a specifier that begins with a "-"
instead of "--" and contains an inconsistent ID.

See 

http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/
http://secunia.com/advisories/22624 

for more info.

Please mention the CVE-id in the changelog and also check ruby 1.9.



Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#398457; Package libruby1.8. Full text and rfc822 format available.

Acknowledgement sent to "Antonio S. de A. Terceiro" <terceiro@softwarelivre.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #10 received at 398457@bugs.debian.org (full text, mbox):

From: "Antonio S. de A. Terceiro" <terceiro@softwarelivre.org>
To: 398457@bugs.debian.org
Subject: version 1.8.5-3 already includes patch for this issue
Date: Fri, 24 Nov 2006 14:48:00 -0300
The fix for this issue, as mentioned in
http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/,  is already
included in the package:

terceiro@fork:/tmp$ export LANG=C
terceiro@fork:/tmp$ apt-get source libruby1.8
Reading package lists... Done
Building dependency tree... Done
Skipping already downloaded file 'ruby1.8_1.8.5-3.dsc'
Need to get 4522kB of source archives.
Get:1 http://ftp.br.debian.org sid/main ruby1.8 1.8.5-3 (tar) [4434kB]
Get:2 http://ftp.br.debian.org sid/main ruby1.8 1.8.5-3 (diff) [87.8kB]
Fetched 4476kB in 14s (302kB/s)
gpg: Signature made Mon Oct 30 05:19:41 2006 BRT using DSA key ID E213F1A0
gpg: Can't check signature: public key not found
dpkg-source: extracting ruby1.8 in ruby1.8-1.8.5
dpkg-source: unpacking ruby1.8_1.8.5.orig.tar.gz
dpkg-source: applying ./ruby1.8_1.8.5-3.diff.gz
terceiro@fork:/tmp$ cat ruby1.8-1.8.5/debian/patches/130_cgi_empty_content.patch
--- ruby-1.8.5/lib/cgi.rb       4 Sep 2006 07:36:49 -0000       1.68.2.17
+++ ruby-1.8.5/lib/cgi.rb       23 Sep 2006 12:47:11 -0000      1.68.2.18
@@ -1018,7 +1018,7 @@
               else
                 stdinput.read(content_length)
               end
-          if c.nil?
+          if c.nil? || c.empty?
             raise EOFError, "bad content body"
           end
           buf.concat(c)
terceiro@fork:/tmp$

The patch in not mentioned in debian/changelog, however.

-- 
Antonio S. de A. Terceiro <terceiro@softwarelivre.org>
http://people.softwarelivre.org/~terceiro/
GnuPG ID: E6F73C30





Tags added: pending Request was from akira yamada <akira@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#398457; Package libruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #17 received at 398457@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 398457@bugs.debian.org
Subject: Re: CVE-2006-5467: Ruby "cgi.rb" Denial of Service Vulnerability
Date: Wed, 6 Dec 2006 01:53:07 -0800
severity 398457 important
thanks

The normal severity for security bugs of a DoS nature is important rather
than grave, because a DoS doesn't compromise a user's account or
information.  If the maintainer believes this bug renders the package
unreleasable, or the exploit is so trivial and widespread as to make the
package "unusable or mostly so", it would be reasonable to re-raise the
severity, but those are then reasons that have nothing to do with the
security aspect of the bug.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Severity set to `important' from `grave' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 398457-done@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: "Antonio S\. de A\. Terceiro" <terceiro@softwarelivre.org>, 398457-done@bugs.debian.org
Subject: Re: Bug#398457: version 1.8.5-3 already includes patch for this issue
Date: Wed, 2 Jan 2008 15:13:51 +0100
Version: 1.8.5-3

On 24/11/06 at 14:48 -0300, Antonio S. de A. Terceiro wrote:
> The fix for this issue, as mentioned in
> http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/,  is already
> included in the package:

Indeed, marking as such.

Thank you!
-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |




Bug no longer marked as found in version 1.8.5-3. Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net> to control@bugs.debian.org. (Thu, 20 Mar 2008 20:03:52 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Apr 2008 07:33:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:51:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.