Description of problem: JVN#84798830 described a problem in cgi.rb, which results in infinite loop after certain HTTP request. While the original advisory is in Japan, you might want to translate it with Babelfish. Anyways, it doesn't contain any useful information. The upstream corrected the problem immediately in CVS and even released a new package with patchlevel of 2. Version-Release number of selected component (if applicable): All supported versions (RHEL 2.1 to 5, and both FC 5 and FC 6) seem to contain the vulnerable code. How reproducible: No reproducer. Additional info: The translated JVN avdisory: http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=ja_en&trurl=http%3a%2f%2fwww.ipa.go.jp%2fsecurity%2fvuln%2fdocuments%2f2006%2fJVN_84798830_Ruby.html
Created attachment 142732 [details] Upstream patch for ruby cgi.rb DoS
Is this worth being called a security issue? Josh pointed out that ruby has a built-in webserver. What happens to the CGI when a client connection times-out there, does it allways get killed?
If you are referring to Webrick, it doesn't use CGI class that has fixed this time. and whether or not CGI is killed depends on the implementation of the webserver, anyway. cgi.rb can be usually used in just a CGI script as usual and embedded Ruby script in html too.
Fixed in 1.8.1-7.el4.9.
Upstream advisory and patch: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=11330
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0961.html http://rhn.redhat.com/errata/RHSA-2008-0562.html
Reporter changed to security-response-team by request of Jay Turner.