Gentoo Logo

Ruby: Terminal Control Character Injection


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201001-09 / ruby
Release Date January 14, 2010
Latest Revision January 14, 2010: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-lang/ruby < 1.8.7_p249 >= 1.8.7_p249, revision >= 1.8.6_p388 All supported architectures

Related bugreports: #300468


An input sanitation flaw in the WEBrick HTTP server included in Ruby might allow remote attackers to inject arbitrary control characters into terminal sessions.

2.  Impact Information


Ruby is an interpreted scripting language for quick and easy object-oriented programming. It comes bundled with a HTTP server ("WEBrick").


Giovanni Pellerano, Alessandro Tanasi and Francesco Ongaro reported that WEBrick does not filter terminal control characters, for instance when handling HTTP logs.


A remote attacker could send a specially crafted HTTP request to a WEBrick server to inject arbitrary terminal control characters, possibly resulting in the execution of arbitrary commands, data loss, or other unspecified impact. This could also be used to facilitate other attacks.

3.  Resolution Information


There is no known workaround at this time.


All Ruby 1.8.7 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.7_p249"

All Ruby 1.8.6 users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p388"

4.  References


Page updated January 14, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.