Bug 161096

Summary: CAN-2005-1992 ruby arbitrary command execution on XMLRPC server
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: rubyAssignee: Akira TAGOH <tagoh>
Status: CLOSED ERRATA QA Contact: Bill Huang <bhuang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20050617,impact=moderate,source=debian,reported=20050620
Fixed In Version: 1.8.2-7.fc4.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-21 17:08:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Josh Bressers 2005-06-20 15:28:46 UTC
+++ This bug was initially created as a clone of Bug #161095 +++

I ran across this issue in the Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237

It seems that by executing an XMLRPC server in ruby in this manner:
s.add_handler(XMLRPC::iPIMethods("sample")

It becomes possible to execute any arbitrary commands within the XMLRPC
server.

Comment 1 Akira TAGOH 2005-06-21 17:08:12 UTC
Fixed in ruby-1.8.2-1.fc3.3 for FC3 and ruby-1.8.2-7.fc4.2 for FC4.