List Info

Thread: Important DoS vulnerability fix in cgi.rb
Important DoS vulnerability fix in cgi.rb
user name
 2006-12-04 12:32:47 
Hi,

attached patch fixes this.

Also, minor testcase fix for tc_cgi.rb so it doesn't fail
anymore.

If you're paranoid, please apply this patch at once to feel
cozy.  :P

Additional notes from me:

The vulnerability is again in the multipart parsing.  This
wasn't
mentioned in the article below.
The multipart parsing didn't escape the boundaries of the
parts and so
any regex could be used there.  An additional check for
validating the
end part of the multipart also has been added.

Jo

If you haven't heard already:

------------------------------------------------------------
------------

Another vulnerability has been discovered in the CGI library
(cgi.rb)
that ships with Ruby which could be used by a malicious user
to create a
denial of service attack (DoS).

This vulnerability is open to the public as JVN#84798830.

Please note that the previous patch
(<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1
.8.5-cgi-dos-1.patch>)
does not fix this problem.

Impact
------
A specific HTTP request for any web application using cgi.rb
causes CPU
consumption on the machine on which the web application is
running. Many
such requests result in a denial of service.

Vulnerable versions
-------------------
* 1.8 series
   1.8.5 and all prior versions
* Development version (1.9 series)
   All versions before 2006-12-04

Solution
--------
* 1.8 series
   Please upgrade to 1.8.5-p2.
   <URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p
2.tar.gz>
        (4519151 bytes, md5sum:
a3517a224716f79b14196adda3e88057)
   Please note that a package that corrects this weakness
may already be
   available through your package management software.
* Development version (1.9 series)
   Please update your Ruby to a version after 2006-12-04.

Article
---------
http://www.ruby-lang.org/en
/news/2006/12/04/another-dos-vulnerability-in-cgi-library/

-- 
Feel the love
http://pinkjuice.com/pics/ruby.
png_______________________________________________
Nitro-general mailing list
Nitro-generalrubyforge.org
h
ttp://rubyforge.org/mailman/listinfo/nitro-general
Important DoS vulnerability fix in cgi.rb
user name
 2006-12-04 20:23:43 
Argh, this is nasty!

thanks,
-g.

On 12/4/06, Jonathan Buch <johnoxyliquit.de> wrote:
> Hi,
>
> attached patch fixes this.
>
> Also, minor testcase fix for tc_cgi.rb so it doesn't
fail anymore.
>
> If you're paranoid, please apply this patch at once to
feel cozy.  :P
>
> Additional notes from me:
>
> The vulnerability is again in the multipart parsing. 
This wasn't
> mentioned in the article below.
> The multipart parsing didn't escape the boundaries of
the parts and so
> any regex could be used there.  An additional check for
validating the
> end part of the multipart also has been added.
>
> Jo
>
> If you haven't heard already:
>
>
------------------------------------------------------------
------------
>
> Another vulnerability has been discovered in the CGI
library (cgi.rb)
> that ships with Ruby which could be used by a malicious
user to create a
> denial of service attack (DoS).
>
> This vulnerability is open to the public as
JVN#84798830.
>
> Please note that the previous patch
> (<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1
.8.5-cgi-dos-1.patch>)
> does not fix this problem.
>
> Impact
> ------
> A specific HTTP request for any web application using
cgi.rb causes CPU
> consumption on the machine on which the web application
is running. Many
> such requests result in a denial of service.
>
> Vulnerable versions
> -------------------
> * 1.8 series
>    1.8.5 and all prior versions
> * Development version (1.9 series)
>    All versions before 2006-12-04
>
> Solution
> --------
> * 1.8 series
>    Please upgrade to 1.8.5-p2.
>    <URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p
2.tar.gz>
>         (4519151 bytes, md5sum:
a3517a224716f79b14196adda3e88057)
>    Please note that a package that corrects this
weakness may already be
>    available through your package management software.
> * Development version (1.9 series)
>    Please update your Ruby to a version after
2006-12-04.
>
> Article
> ---------
> http://www.ruby-lang.org/en
/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
>
> --
> Feel the love
> http://pinkjuice.c
om/pics/ruby.png
>
> _______________________________________________
> Nitro-general mailing list
> Nitro-generalrubyforge.org
> h
ttp://rubyforge.org/mailman/listinfo/nitro-general
>
>
>


-- 
http://cull.gr
http://www.joy.gr
http://blog.gmosx.com
http://nitroproject.org
_______________________________________________
Nitro-general mailing list
Nitro-generalrubyforge.org
h
ttp://rubyforge.org/mailman/listinfo/nitro-general
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )