Bug 62886 (CVE-2004-0983)

Summary:	VUL-0: CVE-2004-0983: DoS in ruby cgi lib
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Matthias Eckermann <mge>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	mge, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0983: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	ruby.patch.maintained ruby.patch.box

Description Ludwig Nussel 2004-11-03 18:29:11 UTC

We received the following report via vendor-sec.
The issue is public.

Date: Wed, 3 Nov 2004 09:20:37 +0100
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby

Moin everybody!

I don't know if some of you are also shipping a version of ruby
in your distributions.  We have received a report that the upstream
developers have corrected a problem that could be triggered remotely
and cause an infinite loop on the server, since it's the CGI module.

The patch is here:
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.23.2.17&r2=1.23.2.18

This problem is semi-public already (upstream cvs, Debian packages),
it may not be too useful to try a coordinated release, but if you
would like to, I could postpone the advisory a bit.

Regards,

	Joey

Comment 1 Matthias Eckermann 2004-11-03 18:51:10 UTC

We ship 1.8.1, and the submitted patch seems weird, ...
Reducing severity to "normal" and will have a look later, ...

Comment 2 Ludwig Nussel 2004-12-10 01:19:13 UTC

how much later is later?

Comment 3 Matthias Eckermann 2004-12-13 23:28:37 UTC

between christmas and sylvester,
when I have more time.
sorry.

so short
MgE

Comment 4 Matthias Eckermann 2005-01-03 19:44:16 UTC

Ludwig and Security-Team:
I use the code of ruby-1.8.2 (which came as a christmas gift)
for lib/cgi.rb and lib/cgi/session.rb
do you think, updated packages for SL 9.1, SL 9.2 and CORE9 are necessary?
Otherwise, I only would provide it to STABLE.

Comment 5 Ludwig Nussel 2005-01-03 21:52:43 UTC

Well, apparently ruby is considered important enough for SLES so I would 
assume that there are indeed people who use it on productive systems and are 
waiting for a patch.

Comment 6 Matthias Eckermann 2005-01-04 19:43:45 UTC

As discussed on the phone: patch for 9.1, 9.2, CORE9 is ready 
(it's all based on ruby-1.8.1);
will look for SLES8-series (incl. 8.1, 8.2, SLES8, ...) tomorrow
and then commit everything.

Comment 7 Matthias Eckermann 2005-01-05 22:59:26 UTC

We have the following ruby-versions:
./8.1/ruby-1.6.7.tar.bz2
./sles8/ruby-1.6.7.tar.bz2
./8.2/ruby-1.6.8.tar.bz2
./9.0/ruby-1.8.0.tar.bz2
./9.1/ruby-1.8.1.tar.bz2
./9.2/ruby-1.8.1.tar.bz2
./sles9/ruby-1.8.1.tar.bz2
For that, I propose, to provide fixes 8.1,sles8 (1.6.7) and
9.1,9.2,sles9 (1.8.1) and put 1.8.2 to stable.
We should also provide an 1.8.1-package for 9.0.

I would better like to update 8.1,sles8 (+8.2,9.0) to 1.8.1 as well,
but that breaks maintenance in sles8:-(

What do you think? MgE

Comment 8 Thomas Biege 2005-01-10 21:26:40 UTC

Only the PM of 9.0 can decide about it. The default rule is to patch and not 
to upgrade the version. 
 
Please ask them/him/her about a version upgrade clearance.

Comment 9 Matthias Eckermann 2005-01-10 21:33:10 UTC

Well, on 2005-01-05 I submitted patches for all the above distributions
within their current version/release, i.e.:
./8.1/ruby-1.6.7.tar.bz2
./sles8/ruby-1.6.7.tar.bz2
./8.2/ruby-1.6.8.tar.bz2
./9.0/ruby-1.8.0.tar.bz2
./9.1/ruby-1.8.1.tar.bz2
./9.2/ruby-1.8.1.tar.bz2
./sles9/ruby-1.8.1.tar.bz2
I'm not happy about that, but well, ...:-(
But, I decided, to stay with ruby-1.8.1 (patched)
for STABLE (will be 9.3, right?)at the moment, for that we 
have the same status for 9.1/SLES9->9.3.

Agreed?

Comment 10 Ludwig Nussel 2005-01-11 23:34:49 UTC

swampid: 114

Comment 11 Ludwig Nussel 2005-01-12 18:58:37 UTC

Created attachment 27587 [details]
ruby.patch.maintained

Comment 12 Ludwig Nussel 2005-01-12 18:58:50 UTC

Created attachment 27588 [details]
ruby.patch.box

Comment 13 Marcus Meissner 2005-02-10 19:55:33 UTC

updated packages released.

Comment 14 Thomas Biege 2009-10-13 19:57:56 UTC

CVE-2004-0983: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)