Bug 554485 - (CVE-2009-4492) CVE-2009-4492 ruby WEBrick log escape sequence
CVE-2009-4492 ruby WEBrick log escape sequence
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=internet,public=201...
: Security
Depends On: 554510 554528 709957 709958 709959
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-11 15:19 EST by Josh Bressers
Modified: 2015-08-19 04:42 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-29 10:33:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch generated by diffing 1.8.7p248 and p249 to fix the issue (4.56 KB, patch)
2010-01-11 16:56 EST, Vincent Danen
no flags Details | Diff

  None (edit)
Description Josh Bressers 2010-01-11 15:19:38 EST
A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.

We already have a fix for it. Releases for every active branches are to follow this announce. But for a meantime, we recommend you to avoid looking at your WEBrick logs, until you update your WEBrick process.
Detailed description

Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various weaknesses in terminal emulators.

http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
Comment 2 Vincent Danen 2010-01-11 16:56:52 EST
Created attachment 383108 [details]
patch generated by diffing 1.8.7p248 and p249 to fix the issue
Comment 3 Vincent Danen 2010-01-11 16:57:59 EST
Testcase taken from the ruby blog:

% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' &
% wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
Comment 5 Vincent Danen 2010-01-11 22:39:45 EST
Upstream has also made available 1.8.6p388:

http://ftp.ruby-lang.org/pub/ruby/ruby-1.8.6-p388.tar.bz2
Comment 6 Tomas Hoger 2010-01-12 03:39:46 EST
(In reply to comment #2)
> Created an attachment (id=383108) [details]
> patch generated by diffing 1.8.7p248 and p249 to fix the issue    

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26268
Comment 7 Mamoru TASAKA 2010-01-12 14:45:37 EST
On Fedora rawhide: patch applied on ruby-1.8.6.383-6.fc13.
Comment 8 Mamoru TASAKA 2010-01-12 14:53:12 EST
Well, bodhi <-> bugzilla interaction doesn't seem to be
working currently..

F-12: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc12
F=11: https://admin.fedoraproject.org/updates/ruby-1.8.6.383-6.fc11
Comment 9 Fedora Update System 2010-01-13 20:25:07 EST
ruby-1.8.6.383-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-01-13 20:25:32 EST
ruby-1.8.6.383-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Mamoru TASAKA 2010-01-14 00:31:31 EST
On Fedora side this is closed.
Comment 17 errata-xmlrpc 2011-06-28 13:22:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 18 errata-xmlrpc 2011-06-28 13:33:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html

Note You need to log in before you can comment on or make changes to this bug.