Bug 554485 (CVE-2009-4492) - CVE-2009-4492 ruby WEBrick log escape sequence
Summary: CVE-2009-4492 ruby WEBrick log escape sequence
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-4492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 554510 554528 709957 709958 709959
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-11 20:19 UTC by Josh Bressers
Modified: 2019-09-29 12:33 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-06-29 14:33:25 UTC
Embargoed:

Attachments (Terms of Use)
patch generated by diffing 1.8.7p248 and p249 to fix the issue (4.56 KB, patch)
2010-01-11 21:56 UTC, Vincent Danen 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0908 0 normal SHIPPED_LIVE Moderate: ruby security update 2011-06-28 17:22:27 UTC
Red Hat Product Errata RHSA-2011:0909 0 normal SHIPPED_LIVE Moderate: ruby security update 2011-06-28 17:33:49 UTC

Description Josh Bressers 2010-01-11 20:19:38 UTC 
A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.

We already have a fix for it. Releases for every active branches are to follow this announce. But for a meantime, we recommend you to avoid looking at your WEBrick logs, until you update your WEBrick process.
Detailed description

Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various weaknesses in terminal emulators.

http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
Comment 2 Vincent Danen 2010-01-11 21:56:52 UTC 
Created attachment 383108 [details]
patch generated by diffing 1.8.7p248 and p249 to fix the issue
Comment 3 Vincent Danen 2010-01-11 21:57:59 UTC 
Testcase taken from the ruby blog:

% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' &
% wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
Comment 5 Vincent Danen 2010-01-12 03:39:45 UTC 
Upstream has also made available 1.8.6p388:

http://ftp.ruby-lang.org/pub/ruby/ruby-1.8.6-p388.tar.bz2
Comment 6 Tomas Hoger 2010-01-12 08:39:46 UTC 
(In reply to comment #2)
> Created an attachment (id=383108) [details]
> patch generated by diffing 1.8.7p248 and p249 to fix the issue    

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26268
Comment 7 Mamoru TASAKA 2010-01-12 19:45:37 UTC 
On Fedora rawhide: patch applied on ruby-1.8.6.383-6.fc13.
Comment 8 Mamoru TASAKA 2010-01-12 19:53:12 UTC 
Well, bodhi <-> bugzilla interaction doesn't seem to be
working currently..

F-12: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc12
F=11: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc11
Comment 9 Fedora Update System 2010-01-14 01:25:07 UTC 
ruby-1.8.6.383-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-01-14 01:25:32 UTC 
ruby-1.8.6.383-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Mamoru TASAKA 2010-01-14 05:31:31 UTC 
On Fedora side this is closed.
Comment 17 errata-xmlrpc 2011-06-28 17:22:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 18 errata-xmlrpc 2011-06-28 17:33:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html
Note You need to log in before you can comment on or make changes to this bug.