Gentoo Logo

Ruby: Denial of Service vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-12 / ruby
Release Date November 20, 2006
Latest Revision November 20, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-lang/ruby < 1.8.5-r3 >= 1.8.5-r3 All supported architectures

Related bugreports: #153497

Synopsis

The Ruby cgi.rb CGI library is vulnerable to a Denial of Service attack.

2.  Impact Information

Background

Ruby is a dynamic, open source programming language with a focus on simplicity and productivity.

Description

Zed Shaw, Jeremy Kemper, and Jamis Buck of the Mongrel project reported that the CGI library shipped with Ruby is vulnerable to a remote Denial of Service by an unauthenticated user.

Impact

The vulnerability can be exploited by sending the cgi.rb library an HTTP request with multipart MIME encoding that contains a malformed MIME boundary specifier beginning with "-" instead of "--". Successful exploitation of the vulnerability causes the library to go into an infinite loop waiting for additional non-existent input.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Ruby users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.5-r3"

4.  References

Print

Updated November 20, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Linux World Expo

Linux World Expo
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.