hoodwink.d enhanced
RSS
2.0
XHTML
1.0

RedHanded

Ruby 1.8 XMLRPC Server Arbitrary Command Execution #

by daigo in cult

A vulnerability was found. It could allow arbitrary command execution on a server running the ruby xmlrpc server.

The fixed versions of ruby1.8 package in Debian are 1.8.2-7sarge1 in stable and 1.8.2-8 in unstable. According to the Package Tracking System the testing version is still 1.8.2-7 with the vulnerability because ncurses that ruby1.8 depends on has a release-critical bug. 1.8.2-9 in unstable has not yet entered into testing. Please be careful, testing users.

As of 1.8.2-9 the architecture name for LOAD_PATH has been changed from i386-linux to i486-linux. I quote from News.Debian in ruby1.8:

  On ix86 architecutre, $LOAD_PATH is changed as follows:

    /usr/local/lib/site_ruby/1.8
    /usr/local/lib/site_ruby/1.8/i486-linux
    /usr/local/lib/site_ruby
    /usr/lib/ruby/1.8
    /usr/lib/ruby/1.8/i486-linux
    .

  This change is brought to follow the change of dpkg 1.13.  It changed
  architecture name to "i486-linux-gnu" from "i386-linux".

  If you locally build extension libraries,  please rebuild it with this
  version of ruby1.8-dev package.

  NOTE: In this version, ruby1.8 temporally searches files in
  /usr/local/lib/site_ruby/1.8/i386-linux and /usr/lib/ruby/1.8/i386-linux.

Comments are closed for this entry.