libruby1.8: CGI::Session creates files insecurely yet

Bug #7578 reported by Debian Bug Importer on 2004-08-24
6
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
Unknown
ruby1.8 (Ubuntu)
High
LaMont Jones

Bug Description

Automatically imported from Debian bug report #267753 http://bugs.debian.org/267753

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #267753 http://bugs.debian.org/267753

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 24 Aug 2004 18:29:49 +0900
From: Shugo Maeda <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libruby1.8: CGI::Session creates files insecurely yet

Package: libruby1.8
Version: 1.8.1+1.8.2pre2-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The default value for 'tmpdir' parameter is /tmp, so any user can
know the name of the file created by CGI::Session::FileStore.
The filename contains the session id, so this can lead an attacker
who has also shell access to the webserver to take over a session.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-swsusp2.0.0.100
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP

Versions of packages libruby1.8 depends on:
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an

-- no debconf information

same bug on 2 different upstream versions

This bug has been marked as a duplicate of bug 7128.

On Tue, Aug 24, 2004 at 06:29:49PM +0900, Shugo Maeda wrote:

> Package: libruby1.8
> Version: 1.8.1+1.8.2pre2-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> The default value for 'tmpdir' parameter is /tmp, so any user can
> know the name of the file created by CGI::Session::FileStore.
> The filename contains the session id, so this can lead an attacker
> who has also shell access to the webserver to take over a session.

The file is created world-readable? If so, that is the bug; using /tmp is
not a bug in itself.

--
 - mdz

Hi,

Matt Zimmerman wrote:
>>The default value for 'tmpdir' parameter is /tmp, so any user can
>>know the name of the file created by CGI::Session::FileStore.
>>The filename contains the session id, so this can lead an attacker
>>who has also shell access to the webserver to take over a session.
>
>
> The file is created world-readable? If so, that is the bug; using /tmp is
> not a bug in itself.

No. The session id is contained in the *filename*, so the
read-permission of the file itself is not necessary to take over a
session.
Any user can get the session id by `ls /tmp'.

The bug is already fixed in the CVS HEAD (The default value of 'tmpdir'
is still /tmp, but the filename doesn't contain session id itself).

Shugo

Download full text (11.6 KiB)

Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre2-3

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.1+1.8.2pre2-3_all.deb
libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libcurses-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdrb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
liberb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libgdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libiconv-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libopenssl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libpty-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libreadline-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
librexml-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libruby1.8-dbg_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3_i386.deb
libruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsoap-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libstrscan-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsyslog-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libtcltk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libtk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libwebrick-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libyaml-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libzlib-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3_i386...

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 24 Aug 2004 08:05:58 -0700
From: Matt Zimmerman <email address hidden>
To: Shugo Maeda <email address hidden>, <email address hidden>
Subject: Re: Bug#267753: libruby1.8: CGI::Session creates files insecurely yet

On Tue, Aug 24, 2004 at 06:29:49PM +0900, Shugo Maeda wrote:

> Package: libruby1.8
> Version: 1.8.1+1.8.2pre2-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> The default value for 'tmpdir' parameter is /tmp, so any user can
> know the name of the file created by CGI::Session::FileStore.
> The filename contains the session id, so this can lead an attacker
> who has also shell access to the webserver to take over a session.

The file is created world-readable? If so, that is the bug; using /tmp is
not a bug in itself.

--
 - mdz

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 25 Aug 2004 00:32:20 +0900
From: Shugo Maeda <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Subject: Re: Bug#267753: libruby1.8: CGI::Session creates files insecurely
 yet

Hi,

Matt Zimmerman wrote:
>>The default value for 'tmpdir' parameter is /tmp, so any user can
>>know the name of the file created by CGI::Session::FileStore.
>>The filename contains the session id, so this can lead an attacker
>>who has also shell access to the webserver to take over a session.
>
>
> The file is created world-readable? If so, that is the bug; using /tmp is
> not a bug in itself.

No. The session id is contained in the *filename*, so the
read-permission of the file itself is not necessary to take over a
session.
Any user can get the session id by `ls /tmp'.

The bug is already fixed in the CVS HEAD (The default value of 'tmpdir'
is still /tmp, but the filename doesn't contain session id itself).

Shugo

Debian Bug Importer (debzilla) wrote :
Download full text (11.8 KiB)

Message-Id: <email address hidden>
Date: Tue, 24 Aug 2004 12:32:09 -0400
From: akira yamada <email address hidden>
To: <email address hidden>
Subject: Bug#267753: fixed in ruby1.8 1.8.1+1.8.2pre2-3

Source: ruby1.8
Source-Version: 1.8.1+1.8.2pre2-3

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.1+1.8.2pre2-3_all.deb
libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libcurses-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libdrb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
liberb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libgdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libiconv-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libopenssl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libpty-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libreadline-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
librexml-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libruby1.8-dbg_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3_i386.deb
libruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsoap-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libstrscan-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libsyslog-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libtcltk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libtk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
  to pool/main/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3_i386.deb
libwebrick-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
  to pool/main/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3_all.deb
...

Matt Zimmerman (mdz) wrote :

This is actually a distinct bug, not a duplicate of Bug#7128.

Bug#7128 - the files are created insecurely (symlink attack)
Bug#7578 - the filename contains the session id, which should be secret

Matt Zimmerman (mdz) wrote :

We'll need to sync 1.8.1+1.8.2pre2-3 to get this fix. Please test the reverse
build-deps against this version to ensure that we aren't breaking any builds if
we sync it, since there are many intervening changes

LaMont Jones (lamont) wrote :

all 69 source packages in main that have binary packages that Depend: ruby1.8
have built successfully with 1.8.1+1.8.2pre2-3

LaMont Jones (lamont) wrote :

synced fix from debian.

Changed in ruby1.8:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.