Red Hat Bugzilla – Bug 218287
CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS
Last modified: 2016-03-04 06:50:32 EST
Description of problem:
JVN#84798830 described a problem in cgi.rb, which results in infinite loop after
certain HTTP request. While the original advisory is in Japan, you might want to
translate it with Babelfish. Anyways, it doesn't contain any useful information.
The upstream corrected the problem immediately in CVS and even released a new
package with patchlevel of 2.
Version-Release number of selected component (if applicable):
All supported versions (RHEL 2.1 to 5, and both FC 5 and FC 6) seem to contain
the vulnerable code.
The translated JVN avdisory:
Created attachment 142732 [details]
Upstream patch for ruby cgi.rb DoS
Is this worth being called a security issue? Josh pointed out that ruby has a
built-in webserver. What happens to the CGI when a client connection times-out
there, does it allways get killed?
If you are referring to Webrick, it doesn't use CGI class that has fixed this time.
and whether or not CGI is killed depends on the implementation of the webserver,
anyway. cgi.rb can be usually used in just a CGI script as usual and embedded
Ruby script in html too.
Fixed in 1.8.1-7.el4.9.
Upstream advisory and patch:
This issue was addressed in:
Red Hat Enterprise Linux:
Reporter changed to email@example.com by request of Jay Turner.