Bug 218287 (CVE-2006-6303)

Summary: CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Akira TAGOH <tagoh>
Status: CLOSED ERRATA QA Contact: Bill Huang <bhuang>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: eng-i18n-bugs, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-21 09:31:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 320371, 320381, 451930, 451931    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch for ruby cgi.rb DoS none

Description Lubomir Kundrak 2006-12-04 14:09:50 UTC
Description of problem:

JVN#84798830 described a problem in cgi.rb, which results in infinite loop after
certain HTTP request. While the original advisory is in Japan, you might want to
translate it with Babelfish. Anyways, it doesn't contain any useful information.
The upstream corrected the problem immediately in CVS and even released a new
package with patchlevel of 2.

Version-Release number of selected component (if applicable):

All supported versions (RHEL 2.1 to 5, and both FC 5 and FC 6) seem to contain
the vulnerable code.

How reproducible:

No reproducer.

Additional info:

The translated JVN avdisory:
http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=ja_en&trurl=http%3a%2f%2fwww.ipa.go.jp%2fsecurity%2fvuln%2fdocuments%2f2006%2fJVN_84798830_Ruby.html

Comment 1 Lubomir Kundrak 2006-12-04 14:09:50 UTC
Created attachment 142732 [details]
Upstream patch for ruby cgi.rb DoS

Comment 2 Lubomir Kundrak 2006-12-08 16:07:03 UTC
Is this worth being called a security issue? Josh pointed out that ruby has a
built-in webserver. What happens to the CGI when a client connection times-out
there, does it allways get killed?

Comment 3 Akira TAGOH 2006-12-11 05:35:59 UTC
If you are referring to Webrick, it doesn't use CGI class that has fixed this time.
and whether or not CGI is killed depends on the implementation of the webserver,
anyway.  cgi.rb can be usually used in just a CGI script as usual and embedded
Ruby script in html too.

Comment 4 Akira TAGOH 2007-01-22 14:38:48 UTC
Fixed in 1.8.1-7.el4.9.

Comment 12 Red Hat Product Security 2008-07-21 09:31:15 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0961.html
  http://rhn.redhat.com/errata/RHSA-2008-0562.html



Comment 13 Red Hat Bugzilla 2009-10-23 19:07:01 UTC
Reporter changed to security-response-team by request of Jay Turner.