Ruby 1.8 XMLRPC Server Arbitrary Command Execution
A vulnerability was found. It could allow arbitrary command execution on a server running the ruby xmlrpc server.
The fixed versions of ruby1.8 package in Debian are 1.8.2-7sarge1 in stable and 1.8.2-8 in unstable. According to the Package Tracking System the testing version is still 1.8.2-7 with the vulnerability because ncurses that ruby1.8 depends on has a release-critical bug. 1.8.2-9 in unstable has not yet entered into testing. Please be careful, testing users.
As of 1.8.2-9 the architecture name for LOAD_PATH has been changed from
i486-linux. I quote from News.Debian in ruby1.8:
On ix86 architecutre, $LOAD_PATH is changed as follows: /usr/local/lib/site_ruby/1.8 /usr/local/lib/site_ruby/1.8/i486-linux /usr/local/lib/site_ruby /usr/lib/ruby/1.8 /usr/lib/ruby/1.8/i486-linux . This change is brought to follow the change of dpkg 1.13. It changed architecture name to "i486-linux-gnu" from "i386-linux". If you locally build extension libraries, please rebuild it with this version of ruby1.8-dev package. NOTE: In this version, ruby1.8 temporally searches files in /usr/local/lib/site_ruby/1.8/i386-linux and /usr/lib/ruby/1.8/i386-linux.