libruby1.8: CGI::Session creates files insecurely
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby1.8 (Debian) |
Fix Released
|
Unknown
|
|||
ruby1.8 (Ubuntu) |
Fix Released
|
High
|
LaMont Jones |
Bug Description
Automatically imported from Debian bug report #260779 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 03:14:19 -0400
From: Andres Salomon <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libruby1.8: CGI::Session creates files insecurely
Package: libruby1.8
Version: 1.8.1+1.8.2pre1-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely. They simply
create files, ignoring permission issues. I assume the only thing
affecting permissions is the value of umask. For both my user, as
well as www-data, session files end up in /tmp with permission
0644. This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.
The following script illustrates the problem:
#!/usr/bin/ruby -w
require 'cgi'
require 'cgi/session'
cgi = CGI.new('html4')
session = CGI::Session.
Kernel.system("ls -l " + Dir.glob(
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages libruby1.8 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
-- no debconf information
In Debian Bug tracker #260779, Matt Zimmerman (mdz) wrote : Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely | #3 |
On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> Package: libruby1.8
> Version: 1.8.1+1.8.2pre1-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> I just noticed that CGI::Session's FileStore (and presumably PStore)
> implementations store session information insecurely. They simply
> create files, ignoring permission issues. I assume the only thing
> affecting permissions is the value of umask. For both my user, as
> well as www-data, session files end up in /tmp with permission
> 0644. This is quite bad; an unsuspecting user might be storing
> sensitive information in session variables, assuming that the class
> stores data securely.
I assume 1.8.1-9 in stable has the same problem?
--
- mdz
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 08:57:20 -0700
From: Matt Zimmerman <email address hidden>
To: Andres Salomon <email address hidden>, <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely
On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> Package: libruby1.8
> Version: 1.8.1+1.8.2pre1-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> I just noticed that CGI::Session's FileStore (and presumably PStore)
> implementations store session information insecurely. They simply
> create files, ignoring permission issues. I assume the only thing
> affecting permissions is the value of umask. For both my user, as
> well as www-data, session files end up in /tmp with permission
> 0644. This is quite bad; an unsuspecting user might be storing
> sensitive information in session variables, assuming that the class
> stores data securely.
I assume 1.8.1-9 in stable has the same problem?
--
- mdz
In Debian Bug tracker #260779, Andres Salomon (dilinger-deactivatedaccount) wrote : | #5 |
On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
>
[...]
> > 0644. This is quite bad; an unsuspecting user might be storing
> > sensitive information in session variables, assuming that the class
> > stores data securely.
>
> I assume 1.8.1-9 in stable has the same problem?
>
You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
is the same.
--
Andres Salomon <email address hidden>
In Debian Bug tracker #260779, Matt Zimmerman (mdz) wrote : | #6 |
On Thu, Jul 22, 2004 at 05:37:55PM -0400, Andres Salomon wrote:
> On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> > On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> >
> [...]
> > > 0644. This is quite bad; an unsuspecting user might be storing
> > > sensitive information in session variables, assuming that the class
> > > stores data securely.
> >
> > I assume 1.8.1-9 in stable has the same problem?
> >
>
> You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
> is the same.
Right, I read the display crooked. :-)
Please keep the security team in the loop.
--
- mdz
In Debian Bug tracker #260779, akira yamada (akira) wrote : (件名なし) | #7 |
forwarded 260779 <email address hidden>
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 17:37:55 -0400
From: Andres Salomon <email address hidden>
To: Matt Zimmerman <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely
--=-q9qcgbeVGrS
Content-Type: text/plain
Content-
On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
>=20
[...]
> > 0644. This is quite bad; an unsuspecting user might be storing
> > sensitive information in session variables, assuming that the class
> > stores data securely.
>=20
> I assume 1.8.1-9 in stable has the same problem?
>=20
You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
is the same.
--=20
Andres Salomon <email address hidden>
--=-q9qcgbeVGrS
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBADOy78o
5XLdVQB9M80vhul
=KJBb
-----END PGP SIGNATURE-----
--=-q9qcgbeVGrS
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 14:54:31 -0700
From: Matt Zimmerman <email address hidden>
To: Andres Salomon <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: libruby1.8: CGI::Session creates files insecurely
On Thu, Jul 22, 2004 at 05:37:55PM -0400, Andres Salomon wrote:
> On Thu, 2004-07-22 at 08:57 -0700, Matt Zimmerman wrote:
> > On Thu, Jul 22, 2004 at 03:14:19AM -0400, Andres Salomon wrote:
> >
> [...]
> > > 0644. This is quite bad; an unsuspecting user might be storing
> > > sensitive information in session variables, assuming that the class
> > > stores data securely.
> >
> > I assume 1.8.1-9 in stable has the same problem?
> >
>
> You mean the ruby packages in stable (1.6.7-3)? The behavior in Woody
> is the same.
Right, I read the display crooked. :-)
Please keep the security team in the loop.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 07:11:11 +0900
From: akira yamada <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-
forwarded 260779 <email address hidden>
In Debian Bug tracker #260779, akira yamada (akira) wrote : Bug#260779: fixed in ruby1.8 1.8.1+1.8.2pre1-4 | #11 |
Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre1-4
We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:
irb1.8_
to pool/main/
libbigdecimal-
to pool/main/
libcurses-
to pool/main/
libdbm-
to pool/main/
libdl-ruby1.
to pool/main/
libdrb-
to pool/main/
liberb-
to pool/main/
libgdbm-
to pool/main/
libiconv-
to pool/main/
libopenssl-
to pool/main/
libpty-
to pool/main/
libracc-
to pool/main/
libreadline-
to pool/main/
librexml-
to pool/main/
libruby1.
to pool/main/
libruby1.
to pool/main/
libsdbm-
to pool/main/
libsoap-
to pool/main/
libstrscan-
to pool/main/
libsyslog-
to pool/main/
libtcltk-
to pool/main/
libtest-
to pool/main/
libtk-ruby1.
to pool/main/
libwebrick-
to pool/main/
libxmlrpc-
to pool/main/
libyaml-
to pool/main/
libzlib-
to pool/main/
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Thu, 22 Jul 2004 20:47:07 -0400
From: akira yamada <email address hidden>
To: <email address hidden>
Subject: Bug#260779: fixed in ruby1.8 1.8.1+1.8.2pre1-4
Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre1-4
We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:
irb1.8_
to pool/main/
libbigdecimal-
to pool/main/
libcurses-
to pool/main/
libdbm-
to pool/main/
libdl-ruby1.
to pool/main/
libdrb-
to pool/main/
liberb-
to pool/main/
libgdbm-
to pool/main/
libiconv-
to pool/main/
libopenssl-
to pool/main/
libpty-
to pool/main/
libracc-
to pool/main/
libreadline-
to pool/main/
librexml-
to pool/main/
libruby1.
to pool/main/
libruby1.
to pool/main/
libsdbm-
to pool/main/
libsoap-
to pool/main/
libstrscan-
to pool/main/
libsyslog-
to pool/main/
libtcltk-
to pool/main/
libtest-
to pool/main/
libtk-ruby1.
to pool/main/
libwebrick-
to pool/main/
libxmlrpc-
to pool/main/
...
Fabio Massimo Di Nitto (fabbione) wrote : | #13 |
Request sync.
In Debian Bug tracker #260779, Andres Salomon (dilinger-deactivatedaccount) wrote : open in sarge/woody | #14 |
reopen 260779
tags 260779 + woody sarge
thanks
Thanks for the fast fix for sid. Unfortunately, this bug is also in
woody and sarge. For woody, a proper security update should be done.
For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
bug should be kept around until it does, so that sarge isn't releasing
w/ this problem.
--
Andres Salomon <email address hidden>
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Fri, 23 Jul 2004 16:59:49 -0400
From: Andres Salomon <email address hidden>
To: <email address hidden>
Subject: open in sarge/woody
--=-E37MQzT9P5U
Content-Type: text/plain
Content-
reopen 260779
tags 260779 + woody sarge
thanks
Thanks for the fast fix for sid. Unfortunately, this bug is also in
woody and sarge. For woody, a proper security update should be done.
For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
bug should be kept around until it does, so that sarge isn't releasing
w/ this problem.
--=20
Andres Salomon <email address hidden>
--=-E37MQzT9P5U
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBAXxE78o
9ueJHyH/
=T9Ve
-----END PGP SIGNATURE-----
--=-E37MQzT9P5U
In Debian Bug tracker #260779, Frank Lichtenheld (djpig) wrote : tagging 260779 | #16 |
# fixed version has propagated to testing
tag 260779 - sarge
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Thu, 5 Aug 2004 20:08:34 +0200
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 260779
# fixed version has propagated to testing
tag 260779 - sarge
In Debian Bug tracker #260779, akira yamada (akira) wrote : Re: Bug#260779: open in sarge/woody | #18 |
> Thanks for the fast fix for sid. Unfortunately, this bug is also in
> woody and sarge. For woody, a proper security update should be done.
> For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
> bug should be kept around until it does, so that sarge isn't releasing
> w/ this problem.
DSA-537-1 was published.
--
akira yamada <URL:http://
Debian Bug Importer (debzilla) wrote : | #19 |
Message-Id: <email address hidden>
Date: Thu, 19 Aug 2004 12:27:25 +0900
From: akira yamada <email address hidden>
To: Andres Salomon <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260779: open in sarge/woody
> Thanks for the fast fix for sid. Unfortunately, this bug is also in
> woody and sarge. For woody, a proper security update should be done.
> For sarge.. well, hopefully ruby1.8 will make it in there quickly. This
> bug should be kept around until it does, so that sarge isn't releasing
> w/ this problem.
DSA-537-1 was published.
--
akira yamada <URL:http://
Fabio Massimo Di Nitto (fabbione) wrote : | #20 |
*** Bug 7578 has been marked as a duplicate of this bug. ***
Matt Zimmerman (mdz) wrote : | #21 |
See also Bug#7578 for another ruby vulnerability that needs to be fixed.
Since there are many changes since Warty, I've asked LaMont to regression-test
the builds before we sync
Matt Zimmerman (mdz) wrote : | #22 |
sync complete
Changed in ruby1.8: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #260779 http:// bugs.debian. org/260779