libruby1.8: CGI::Session creates files insecurely

Bug #7128 reported by Debian Bug Importer on 2004-07-22
6
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
Unknown
ruby1.8 (Ubuntu)
High
LaMont Jones

Bug Description

Automatically imported from Debian bug report #260779 http://bugs.debian.org/260779

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #260779 http://bugs.debian.org/260779

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 03:14:19 -0400
From: Andres Salomon <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libruby1.8: CGI::Session creates files insecurely

Package: libruby1.8
Version: 1.8.1+1.8.2pre1-3
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely. They simply
create files, ignoring permission issues. I assume the only thing
affecting permissions is the value of umask. For both my user, as
well as www-data, session files end up in /tmp with permission
0644. This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.

The following script illustrates the problem:

#!/usr/bin/ruby -w

require 'cgi'
require 'cgi/session'

cgi = CGI.new('html4')
session = CGI::Session.new(cgi, 'prefix' => 'blah_')
Kernel.system("ls -l " + Dir.glob("/tmp/blah_*").join(" "))

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages libruby1.8 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information

On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:

> Package: libruby1.8
> Version: 1.8.1+1.8.2pre1-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> I just noticed that CGI::Session's FileStore (and presumably PStore)
> implementations store session information insecurely. They simply
> create files, ignoring permission issues. I assume the only thing
> affecting permissions is the value of umask. For both my user, as
> well as www-data, session files end up in /tmp with permission
> 0644. This is quite bad; an unsuspecting user might be storing
> sensitive information in session variables, assuming that the class
> stores data securely.

I assume 1.8.1-9 in stable has the same problem?

--
 - mdz

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 08:57:20 -0700
From: Matt Zimmerman <email address hidden>
To: Andres Salomon <email address hidden>, <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely

On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:

> Package: libruby1.8
> Version: 1.8.1+1.8.2pre1-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> I just noticed that CGI::Session's FileStore (and presumably PStore)
> implementations store session information insecurely. They simply
> create files, ignoring permission issues. I assume the only thing
> affecting permissions is the value of umask. For both my user, as
> well as www-data, session files end up in /tmp with permission
> 0644. This is quite bad; an unsuspecting user might be storing
> sensitive information in session variables, assuming that the class
> stores data securely.

I assume 1.8.1-9 in stable has the same problem?

--
 - mdz

On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
>
[...]
> > 0644. This is quite bad; an unsuspecting user might be storing
> > sensitive information in session variables, assuming that the class
> > stores data securely.
>
> I assume 1.8.1-9 in stable has the same problem?
>

You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
is the same.

--
Andres Salomon <email address hidden>

On Thu, Jul 22, 2004 at 05:37:55PM -0400, Andres Salomon wrote:

> On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> > On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> >
> [...]
> > > 0644. This is quite bad; an unsuspecting user might be storing
> > > sensitive information in session variables, assuming that the class
> > > stores data securely.
> >
> > I assume 1.8.1-9 in stable has the same problem?
> >
>
> You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
> is the same.

Right, I read the display crooked. :-)

Please keep the security team in the loop.

--
 - mdz

forwarded 260779 <email address hidden>

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 17:37:55 -0400
From: Andres Salomon <email address hidden>
To: Matt Zimmerman <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely

--=-q9qcgbeVGrSAhqlSZEjX
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
>=20
[...]
> > 0644. This is quite bad; an unsuspecting user might be storing
> > sensitive information in session variables, assuming that the class
> > stores data securely.
>=20
> I assume 1.8.1-9 in stable has the same problem?
>=20

You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
is the same.

--=20
Andres Salomon <email address hidden>

--=-q9qcgbeVGrSAhqlSZEjX
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBADOy78o9R9NraMQRAusgAJsHREZ3/t3xUXXWSZJti/spFrwLcQCeKFsG
5XLdVQB9M80vhulQhca6hIQ=
=KJBb
-----END PGP SIGNATURE-----

--=-q9qcgbeVGrSAhqlSZEjX--

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 14:54:31 -0700
From: Matt Zimmerman <email address hidden>
To: Andres Salomon <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely

On Thu, Jul 22, 2004 at 05:37:55PM -0400, Andres Salomon wrote:

> On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> > On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> >
> [...]
> > > 0644. This is quite bad; an unsuspecting user might be storing
> > > sensitive information in session variables, assuming that the class
> > > stores data securely.
> >
> > I assume 1.8.1-9 in stable has the same problem?
> >
>
> You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
> is the same.

Right, I read the display crooked. :-)

Please keep the security team in the loop.

--
 - mdz

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 07:11:11 +0900
From: akira yamada <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-JP?B?KBskQjdvTD4kSiQ3GyhCKQ==?=

forwarded 260779 <email address hidden>

Download full text (11.2 KiB)

Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre1-4

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.1+1.8.2pre1-4_all.deb
libbigdecimal-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libcurses-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdrb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
liberb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libgdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libiconv-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libopenssl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libpty-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libracc-runtime-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libreadline-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
librexml-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libruby1.8-dbg_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre1-4_i386.deb
libruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsoap-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libstrscan-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsyslog-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libtcltk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libtest-unit-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libtk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libwebrick-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libxmlrpc-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libyaml-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libzlib-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre1-4_i386...

Debian Bug Importer (debzilla) wrote :
Download full text (11.4 KiB)

Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 20:47:07 -0400
From: akira yamada <email address hidden>
To: <email address hidden>
Subject: Bug#260779: fixed in ruby1.8 1.8.1+1.8.2pre1-4

Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre1-4

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.1+1.8.2pre1-4_all.deb
libbigdecimal-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libcurses-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libdrb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
liberb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libgdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libiconv-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libopenssl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libpty-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libracc-runtime-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libreadline-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
librexml-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libruby1.8-dbg_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre1-4_i386.deb
libruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsoap-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libstrscan-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libsyslog-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libtcltk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libtest-unit-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libtk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
  to pool/main/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre1-4_i386.deb
libwebrick-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
libxmlrpc-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
  to pool/main/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre1-4_all.deb
...

Request sync.

reopen 260779
tags 260779 + woody sarge
thanks

Thanks for the fast fix for sid. Unfortunately, this bug is also in
woody and sarge. For woody, a proper security update should be done.
For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
bug should be kept around until it does, so that sarge isn't releasing
w/ this problem.

--
Andres Salomon <email address hidden>

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 23 Jul 2004 16:59:49 -0400
From: Andres Salomon <email address hidden>
To: <email address hidden>
Subject: open in sarge/woody

--=-E37MQzT9P5UXgDqWsacq
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

reopen 260779
tags 260779 + woody sarge
thanks

Thanks for the fast fix for sid. Unfortunately, this bug is also in
woody and sarge. For woody, a proper security update should be done.
For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
bug should be kept around until it does, so that sarge isn't releasing
w/ this problem.

--=20
Andres Salomon <email address hidden>

--=-E37MQzT9P5UXgDqWsacq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBAXxE78o9R9NraMQRAsrSAKCnWUk1eKi1SEv0ewvIg4MJFU2kUgCePkSY
9ueJHyH/6DnGWUH9SHNsp40=
=T9Ve
-----END PGP SIGNATURE-----

--=-E37MQzT9P5UXgDqWsacq--

 # fixed version has propagated to testing
tag 260779 - sarge

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 5 Aug 2004 20:08:34 +0200
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 260779

 # fixed version has propagated to testing
tag 260779 - sarge

> Thanks for the fast fix for sid. Unfortunately, this bug is also in
> woody and sarge. For woody, a proper security update should be done.
> For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
> bug should be kept around until it does, so that sarge isn't releasing
> w/ this problem.

DSA-537-1 was published.
--
akira yamada <URL:http://arika.org>

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 19 Aug 2004 12:27:25 +0900
From: akira yamada <email address hidden>
To: Andres Salomon <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: open in sarge/woody

> Thanks for the fast fix for sid. Unfortunately, this bug is also in
> woody and sarge. For woody, a proper security update should be done.
> For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
> bug should be kept around until it does, so that sarge isn't releasing
> w/ this problem.

DSA-537-1 was published.
--
akira yamada <URL:http://arika.org>

*** Bug 7578 has been marked as a duplicate of this bug. ***

Matt Zimmerman (mdz) wrote :

See also Bug#7578 for another ruby vulnerability that needs to be fixed.

Since there are many changes since Warty, I've asked LaMont to regression-test
the builds before we sync

Matt Zimmerman (mdz) wrote :

sync complete

Changed in ruby1.8:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.