Bug 95366 (CVE-2005-1992)

Summary: VUL-0: CVE-2005-1992: ruby XML RPC remote command execution
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Matthias Eckermann <mge>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: mge, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
URL: http://secunia.com/advisories/15767/
Whiteboard: CVE-2005-1992: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-07-06 11:48:57 UTC 
Hello Matthias,
here we go...

==========================================================
Ubuntu Security Notice USN-146-1              June 29, 2005
ruby1.8 vulnerability
CAN-2005-1992
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libxmlrpc-ruby1.8
ruby1.8

The problem can be corrected by upgrading the affected package to
version 1.8.1+1.8.2pre2-3ubuntu0.2 (for Ubuntu 4.10), or
1.8.1+1.8.2pre4-1ubuntu0.1 (for Ubuntu 5.04).  In general, a standard
system upgrade is sufficient to effect the necessary changes; however,
if you run custom XMLRPC servers implemented in Ruby, you have to
restart them.

Details follow:

Nobuhiro IMAI discovered that the changed default value of the
Module#public_instance_methods() method broke the security protection
of XMLRPC server handlers. A remote attacker could exploit this to
execute arbitrary commands on an XMLRPC server.
...

http://secunia.com/advisories/15767/
Comment 1 Thomas Biege 2005-07-06 12:04:28 UTC 
CAN-2005-1992
SM-Tracker-1751
Comment 2 Matthias Eckermann 2005-07-07 12:04:04 UTC 
As far as I can see, the patch is a one-liner,
that should fit for our 9.0-9.3, incl. SLES 9.
I'll be able to provide for SLES 9 on 20050708,
for other platforms it is a matter of time, ...
Comment 3 Thomas Biege 2005-07-08 06:22:39 UTC 
8.2 isn't affected?

This update needs to be fixed soon (within a week) because it is remotely
exploitable. Worms and spammers loves these bugs.
Comment 4 Marcus Meissner 2005-07-18 12:03:52 UTC 
ping?
Comment 5 Matthias Eckermann 2005-07-19 05:39:54 UTC 
SL 8.2 (ruby-1.6.8) is not affected, only ruby-1.8.0 and higher
are affected, so 9.0-9,3, sles9 and STABLE. Patch is the same for all.
Comment 6 Matthias Eckermann 2005-07-19 06:12:18 UTC 
OK, I just started an "mbuild" for 9.0-9.3, sles9 and stable
( grape-mge-54 -- grape-mge-59 )
The packs are below ~mge/ruby/ for now. I'll move to the
appropriate place below /work/src/done/ later.
Where to move the SLES9-pack? SLES9-BETA (aka SP2) or SLES9-SP3 or SLES9?
Please help!
Comment 7 Matthias Eckermann 2005-07-19 06:35:04 UTC 
OK, all packages now copied to /work/src/done/$DIST/
Everything builds excpet STABLE-x86_64 -- will fix this later today.
Security team: next steps?
Comment 8 Marcus Meissner 2005-07-19 06:47:54 UTC 
to done/SLES9/ (same as done/9.1) 
 
the secteam will do the next steps.
Comment 9 Matthias Eckermann 2005-07-19 06:58:13 UTC 
Good. I then removed /work/src/done/SLES9-BETA/ruby/,
code in /work/src/done/SLES9/ruby/ aka /work/src/done/9.1/ruby/.
Comment 10 Ludwig Nussel 2005-07-27 07:52:38 UTC 
updates already released
Comment 11 Thomas Biege 2009-10-13 21:30:49 UTC 
CVE-2005-1992: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)