A security flaw was found in the way multi_xml gem, a Ruby gem to provide swappable XML backends utilizing LibXML, Nokogiri, Ox, or REXML, performed Symbol and YAML parameters parsing. A remote attacker could use this flaw to execute arbitrary code with the privileges of the Ruby on Rails application using the multi_xml gem via specially-crafted HTTP POST request. References: [1] https://news.ycombinator.com/item?id=5040457 [2] https://gist.github.com/d7f6d9f4925f413621aa [3] https://github.com/sferik/multi_xml/pull/34 [4] http://www.openwall.com/lists/oss-security/2013/01/11/2 [5] http://www.openwall.com/lists/oss-security/2013/01/11/7 [6] https://rubygems.org/gems/multi_xml/versions/0.5.2
This issue affects the version of the rubygem-multi_xml package, as shipped with Fedora release of 17. Please schedule an update.
Created rubygem-multi_xml tracking bugs for this issue Affects: fedora-17 [bug 894385]
rubygem-multi_xml-0.4.1-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-multi_xml-0.4.1-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.