Bug 554485 (CVE-2009-4492)

Summary: CVE-2009-4492 ruby WEBrick log escape sequence
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, mjc, mtasaka, vdanen, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-29 14:33:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 554510, 554528, 709957, 709958, 709959    
Bug Blocks:    
Attachments:
Description Flags
patch generated by diffing 1.8.7p248 and p249 to fix the issue none

Description Josh Bressers 2010-01-11 20:19:38 UTC 
A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.

We already have a fix for it. Releases for every active branches are to follow this announce. But for a meantime, we recommend you to avoid looking at your WEBrick logs, until you update your WEBrick process.
Detailed description

Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various weaknesses in terminal emulators.

http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
Comment 2 Vincent Danen 2010-01-11 21:56:52 UTC 
Created attachment 383108 [details]
patch generated by diffing 1.8.7p248 and p249 to fix the issue
Comment 3 Vincent Danen 2010-01-11 21:57:59 UTC 
Testcase taken from the ruby blog:

% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' &
% wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
Comment 5 Vincent Danen 2010-01-12 03:39:45 UTC 
Upstream has also made available 1.8.6p388:

http://ftp.ruby-lang.org/pub/ruby/ruby-1.8.6-p388.tar.bz2
Comment 6 Tomas Hoger 2010-01-12 08:39:46 UTC 
(In reply to comment #2)
> Created an attachment (id=383108) [details]
> patch generated by diffing 1.8.7p248 and p249 to fix the issue    

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26268
Comment 7 Mamoru TASAKA 2010-01-12 19:45:37 UTC 
On Fedora rawhide: patch applied on ruby-1.8.6.383-6.fc13.
Comment 8 Mamoru TASAKA 2010-01-12 19:53:12 UTC 
Well, bodhi <-> bugzilla interaction doesn't seem to be
working currently..

F-12: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc12
F=11: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc11
Comment 9 Fedora Update System 2010-01-14 01:25:07 UTC 
ruby-1.8.6.383-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-01-14 01:25:32 UTC 
ruby-1.8.6.383-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Mamoru TASAKA 2010-01-14 05:31:31 UTC 
On Fedora side this is closed.
Comment 17 errata-xmlrpc 2011-06-28 17:22:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 18 errata-xmlrpc 2011-06-28 17:33:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html