Bug 212396 (CVE-2006-5467)

Summary: CVE-2006-5467 Ruby CGI multipart parsing DoS
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Akira TAGOH <tagoh>
Status: CLOSED ERRATA QA Contact: Bill Huang <bhuang>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-31 09:02:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2006-10-26 17:29:45 UTC 
+++ This bug was initially created as a clone of Bug #212237 +++

Jeremy Kemper mailed this information to vendor-sec:

    Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
    when the input stream returns "" (empty string) instead of nil on EOF.
    Certain malformed multipart requests leave the parser in a non-terminating
    state, leaving the program vulnerable to denial of service attack. The fix
    more carefully checks for input stream EOF.
      affected: standalone CGI, Mongrel
      unaffected: FastCGI, mod_ruby, WEBrick

    This fully closes a previously-reported but partially-fixed vulnerability:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
      http://www.securityfocus.com/bid/11618/info

-- Additional comment from bressers on 2006-10-25 15:28 EST --
Created an attachment (id=139389)
Proposed patch

-- Additional comment from bressers on 2006-10-26 13:26 EST --
Lifting embargo:
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
Comment 1 Josh Bressers 2006-10-26 17:31:00 UTC 
This issue also affects FC5
Comment 2 Akira TAGOH 2006-10-27 15:14:49 UTC 
fixed in 1.8.5-4.fc6 and 1.8.5-1.fc5.
Comment 3 Fedora Update System 2006-10-30 21:38:06 UTC 
ruby-1.8.5-4.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.