Bugzilla – Bug 62886
VUL-0: CVE-2004-0983: DoS in ruby cgi lib
Last modified: 2021-10-04 10:23:53 UTC
We received the following report via vendor-sec. The issue is public. Date: Wed, 3 Nov 2004 09:20:37 +0100 From: Martin Schulze <joey@infodrom.org> To: vendor-sec@lst.de Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby Moin everybody! I don't know if some of you are also shipping a version of ruby in your distributions. We have received a report that the upstream developers have corrected a problem that could be triggered remotely and cause an infinite loop on the server, since it's the CGI module. The patch is here: http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.23.2.17&r2=1.23.2.18 This problem is semi-public already (upstream cvs, Debian packages), it may not be too useful to try a coordinated release, but if you would like to, I could postpone the advisory a bit. Regards, Joey
We ship 1.8.1, and the submitted patch seems weird, ... Reducing severity to "normal" and will have a look later, ...
how much later is later?
between christmas and sylvester, when I have more time. sorry. so short MgE
Ludwig and Security-Team: I use the code of ruby-1.8.2 (which came as a christmas gift) for lib/cgi.rb and lib/cgi/session.rb do you think, updated packages for SL 9.1, SL 9.2 and CORE9 are necessary? Otherwise, I only would provide it to STABLE.
Well, apparently ruby is considered important enough for SLES so I would assume that there are indeed people who use it on productive systems and are waiting for a patch.
As discussed on the phone: patch for 9.1, 9.2, CORE9 is ready (it's all based on ruby-1.8.1); will look for SLES8-series (incl. 8.1, 8.2, SLES8, ...) tomorrow and then commit everything.
We have the following ruby-versions: ./8.1/ruby-1.6.7.tar.bz2 ./sles8/ruby-1.6.7.tar.bz2 ./8.2/ruby-1.6.8.tar.bz2 ./9.0/ruby-1.8.0.tar.bz2 ./9.1/ruby-1.8.1.tar.bz2 ./9.2/ruby-1.8.1.tar.bz2 ./sles9/ruby-1.8.1.tar.bz2 For that, I propose, to provide fixes 8.1,sles8 (1.6.7) and 9.1,9.2,sles9 (1.8.1) and put 1.8.2 to stable. We should also provide an 1.8.1-package for 9.0. I would better like to update 8.1,sles8 (+8.2,9.0) to 1.8.1 as well, but that breaks maintenance in sles8:-( What do you think? MgE
Only the PM of 9.0 can decide about it. The default rule is to patch and not to upgrade the version. Please ask them/him/her about a version upgrade clearance.
Well, on 2005-01-05 I submitted patches for all the above distributions within their current version/release, i.e.: ./8.1/ruby-1.6.7.tar.bz2 ./sles8/ruby-1.6.7.tar.bz2 ./8.2/ruby-1.6.8.tar.bz2 ./9.0/ruby-1.8.0.tar.bz2 ./9.1/ruby-1.8.1.tar.bz2 ./9.2/ruby-1.8.1.tar.bz2 ./sles9/ruby-1.8.1.tar.bz2 I'm not happy about that, but well, ...:-( But, I decided, to stay with ruby-1.8.1 (patched) for STABLE (will be 9.3, right?)at the moment, for that we have the same status for 9.1/SLES9->9.3. Agreed?
swampid: 114
Created attachment 27587 [details] ruby.patch.maintained
Created attachment 27588 [details] ruby.patch.box
updated packages released.
CVE-2004-0983: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)