[SECURITY] Hotfix for cgi.rb vulnerability of Dec. 4, 2006

Hi,

I’ve released a hotfix, just like the last one from Zed S., for the
new cgi.rb denial-of-service vulnerability, which does affect Rails. You
can get it here:

Evan Weaver

It will be useful to you if you are unable or unwilling to upgrade your
core Ruby cgi.rb file. We have deployed it on Chow.com and are making it
available to everyone.

Evan

=== README ===

DESCRIPTION

Fix an exploitable bug in CGI multipart parsing which affects Ruby <=
1.8.5 when multipart boundary attribute contains a non-halting regular
expression string. The boundary searcher in the CGI module does not
properly escape the user-supplied parameter and will execute arbitrary
regular expressions. The fix adds escaping for the user data.

This is fix is cumulative with previous CGI multipart vulnerability
fixes; see version 1.0.0 of the gem by Zed S…

SCOPE

Affected: standalone CGI, Mongrel, WEBrick
Unaffected: FastCGI
Unknown: mod_ruby

USAGE

First, make sure you have the Hoe gem installed. Then:

sudo gem install cgi_multipart_eof_fix --source blog.evanweaver.com

Then included test to verify the flaw is corrected. You must require the
gem in every affected application, as follows:

require ‘rubygems’
require ‘cgi_multipart_eof_fix’

If you only use mongrel_rails for application hosting, you may install
mongrel like so:

sudo gem install mongrel
–source=http://mongrel.rubyforge.org/releases

Then mongrel will require the fix for you, provided you have installed
version 2.0.0 of this gem. This is a hack, and mongrel may change in the
future.

RESOURCES

http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/

LICENSE

Licensed under the same license as Ruby itself. Software contains the
work of others.

On 12/5/06, Evan W. [email protected] wrote:

available to everyone.
Thanks for updating the gem, Evan!

A historical note: Jamis B. is the author; he found, fixed, and tested
the
original vulnerability.

Best,
jeremy

You’re welcome. Thanks for the clarification; I see now in Zed’s
original post that he credited you and Jamis.

Evan