Gentoo Logo

Ruby: Terminal Control Character Injection

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201001-09 / ruby
Release Date January 14, 2010
Latest Revision January 14, 2010: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-lang/ruby < 1.8.7_p249 >= 1.8.7_p249, revision >= 1.8.6_p388 All supported architectures

Related bugreports: #300468

Synopsis

An input sanitation flaw in the WEBrick HTTP server included in Ruby might allow remote attackers to inject arbitrary control characters into terminal sessions.

2.  Impact Information

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. It comes bundled with a HTTP server ("WEBrick").

Description

Giovanni Pellerano, Alessandro Tanasi and Francesco Ongaro reported that WEBrick does not filter terminal control characters, for instance when handling HTTP logs.

Impact

A remote attacker could send a specially crafted HTTP request to a WEBrick server to inject arbitrary terminal control characters, possibly resulting in the execution of arbitrary commands, data loss, or other unspecified impact. This could also be used to facilitate other attacks.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Ruby 1.8.7 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.7_p249"

All Ruby 1.8.6 users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p388"

4.  References



Print

Page updated January 14, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.