From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1Drzgr-0000gU-CB
	for garchives@archives.gentoo.org; Mon, 11 Jul 2005 14:55:25 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j6BErBpK014288;
	Mon, 11 Jul 2005 14:53:11 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j6BEg6dJ007639
	for <gentoo-announce@lists.gentoo.org>; Mon, 11 Jul 2005 14:42:07 GMT
Received: from car75-2-82-66-60-148.fbx.proxad.net ([82.66.60.148])
	by smtp.gentoo.org with esmtpa (Exim 4.43)
	id 1DrzUc-00034P-32; Mon, 11 Jul 2005 14:42:46 +0000
Message-ID: <42D28560.1050709@gentoo.org>
Date: Mon, 11 Jul 2005 16:42:40 +0200
From: Thierry Carrez <koon@gentoo.org>
Organization: Gentoo Linux
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326)
X-Accept-Language: en-us, en
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@gentoo.org
MIME-Version: 1.0
To: gentoo-announce@lists.gentoo.org
CC: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
        security-alerts@linuxsecurity.com
Subject: [gentoo-announce] [ GLSA 200507-10 ] Ruby: Arbitrary command execution through XML-RPC
X-Enigmail-Version: 0.90.2.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigFD1697B63BE6CB66C6B7AF03"
X-Archives-Salt: 3247da67-d7c8-46e9-a161-4d91efc4a755
X-Archives-Hash: ab17083f41924b3719f99c4213653c6d

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigFD1697B63BE6CB66C6B7AF03
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200507-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Ruby: Arbitrary command execution through XML-RPC
      Date: July 11, 2005
      Bugs: #96784
        ID: 200507-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in XMLRPC.iPIMethods allows remote attackers to execute
arbitrary commands.

Background
==========

Ruby is an interpreted scripting language for quick and easy
object-oriented programming. XML-RPC is a remote procedure call
protocol encoded in XML.

Affected packages
=================

    -------------------------------------------------------------------
     Package        /  Vulnerable  /                        Unaffected
    -------------------------------------------------------------------
  1  dev-lang/ruby     < 1.8.2-r2                          >= 1.8.2-r2

Description
===========

Nobuhiro IMAI reported that an invalid default value in "utils.rb"
causes the security protections of the XML-RPC server to fail.

Impact
======

A remote attacker could exploit this vulnerability to execute arbitrary
commands.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Ruby users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2-r2"

References
==========

  [ 1 ] CAN-2005-1992
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1992
  [ 2 ] Ruby Security Announcement
        http://www.ruby-lang.org/en/20050701.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


--------------enigFD1697B63BE6CB66C6B7AF03
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC0oVlvcL1obalX08RAisoAJ4+UQQW6B8yZ/m/T3d/vCS2E6YELwCfWQM3
4aoNYZPciOKffME9vr1r+kk=
=B50M
-----END PGP SIGNATURE-----

--------------enigFD1697B63BE6CB66C6B7AF03--
-- 
gentoo-announce@gentoo.org mailing list