Ruby: Denial of Service issue

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200411-23 / Ruby
Release Date	November 16, 2004
Latest Revision	November 16, 2004: 01
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
dev-lang/ruby	< 1.8.2_pre3	revision >= 1.6.8-r12, >= 1.8.2_pre3	All supported architectures

Related bugreports: #69985

Synopsis

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

2. Impact Information

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications.

Description

Ruby's developers found and fixed an issue in the CGI module that can be triggered remotely and cause an infinite loop.

Impact

A remote attacker could trigger the vulnerability through an exposed Ruby web application and cause the server to use unnecessary CPU resources, potentially resulting in a Denial of Service.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Ruby 1.6.x users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.6.8-r12"

All Ruby 1.8.x users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2_pre3"

4. References

CAN-2004-0983

Page updated November 16, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.