Bugzilla – Bug 570616
VUL-1: CVE-2009-4492: ruby webrick doesn't sanitize non-printable characters in log
Last modified: 2015-03-18 06:42:39 UTC
The issue is public. -------8<------- ====================================================== Name: CVE-2009-4492 WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. Reference: MISC: http://www.ush.it/team/ush/hack_httpd_escape/adv.txt Reference: BID: http://www.securityfocus.com/bid/37710 Reference: BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded Reference: CONFIRM: http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection Reference: SECTRACK: http://securitytracker.com/id?1023429 Reference: SECUNIA: http://secunia.com/advisories/37949
for planned updates
mass chnage from P5 to P3
reproducer: [[[ xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' & wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a ]]] with an unpatched ruby the xterm title will changed to "owned". packages submitted.
The SWAMPID for this issue is 38896. This issue was rated as important. Please submit fixed packages until 2011-03-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Created attachment 425197 [details] webrick.rb Unfortunately ruby-1.8.x_accesslog_escape.patch leads to regression. Related part of ruby test suite output: test_bad_messages(TestWEBrickHTTPRequest) [../rubytests/webrick/test_httprequest.rb:240]: <WEBrick::HTTPStatus::LengthRequired> exception expected but was Class: <ArgumentError> Message: <"wrong number of arguments (0 for 1)"> ---Backtrace--- /usr/lib64/ruby/1.8/webrick/httprequest.rb:287:in `initialize' /usr/lib64/ruby/1.8/webrick/httprequest.rb:287:in `exception' /usr/lib64/ruby/1.8/webrick/httprequest.rb:287:in `raise' /usr/lib64/ruby/1.8/webrick/httprequest.rb:287:in `read_body' /usr/lib64/ruby/1.8/webrick/httprequest.rb:126:in `body' ../rubytests/webrick/test_httprequest.rb:243:in `test_bad_messages' ../rubytests/webrick/test_httprequest.rb:240:in `test_bad_messages' Test Webrick log while accessing index page with browser: ytsarev.suse.cz - - [15/Apr/2011:14:05:08 CEST] "GET / HTTP/1.1" 500 322 - -> / [2011-04-15 14:05:08] ERROR ArgumentError: wrong number of arguments (0 for 1) /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:34:in `initialize' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:34:in `exception' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:34:in `raise' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:34:in `do_GET' /usr/lib64/ruby/1.8/webrick/httpservlet/abstract.rb:35:in `__send__' /usr/lib64/ruby/1.8/webrick/httpservlet/abstract.rb:35:in `service' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:236:in `exec_handler' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:171:in `do_GET' /usr/lib64/ruby/1.8/webrick/httpservlet/abstract.rb:35:in `__send__' /usr/lib64/ruby/1.8/webrick/httpservlet/abstract.rb:35:in `service' /usr/lib64/ruby/1.8/webrick/httpservlet/filehandler.rb:167:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib64/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:82:in `start' /tmp/webrick.rb:13 Ruby script to launch and test webrick atta?hed. Putting the dummy index.html under /srw/www/htdocs is a must to reproduce.
fixed patch submitted.
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SLMS 1.1 (x86_64) SLE-STUDIOONSITE 1.1 (x86_64) SLE-WEBYAST 1.0-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-WEBYAST 1.1 (i386, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
all released