WEBrickに関するセキュリティ修正 (CVE-2010-0541)

e$B!!$d$^$M$H?=$7$^$9!#e(B

e$B!!$I$J$?$+!"0J2<$Ne(BWEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5$r$4B8CN$NJ}$O$$$i$C$7$c$$e(B
e$B!!$^$9$+!)e(B

e$B!!e(Bhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541

e$B!!e(BApple e$B$N%"%I%P%$%6%j$O0J2<$Ge(B

addressed by setting UTF-8 as the default character set in HTTP error
responses. Credit: Apple.

e$B!!$6$C$H8!:w$7$F$_$?$H$3$me(BRed
Hate$B$Ne(Bbugzillae$B$K$=$N%Q%C%A$H$$$&$N$,=P$F$$$^$9!#e(B
e$B!!e(Bhttps://bugzilla.redhat.com/show_bug.cgi?id=587731

lib/webrick/httpresponse.rb.old 2010-03-31 18:47:40.000000000
-0700
+++ lib/webrick/httpresponse.rb 2010-03-31 18:48:21.000000000
-0700
@@ -209,7 +209,7 @@
@keep_alive = false
self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
end

  •  @header['content-type'] = "text/html"
    
  •  @header['content-type'] = "text/html; charset=utf-8"
    
    if respond_to?(:create_error_page)
      create_error_page()
    

e$B!!e(Bsnapshote$B$N%!<%+%$%V$rE83+$7$F$$^$7$?$,>e5-$NJQ99$O2C$($i$l$F$J$$$N$G!"e(B
e$B!!$=$b$=$be(Brubye$BK\BN$K=$@5$NOC$,Mh$F$$$J$$$s$8$c$J$$$+$H;W$C$F%a!<%k$7$F$
$^$7$?!#e(B
e$B!!$3$l$G=$@5FbMF$,==J,$J$N$+!$o$+$kJ}$,$$$i$C$7$c$C$?$i$<$R3NG$7$F$_$F$$$?$@$1e(B
e$B!!$k$H4r$7$$$G$9e(B :slight_smile:


Regards,

Hideki Y. henrich @ debian.or.jp/org
HidekiYamane - Debian Wiki

e$B$3$s$K$A$O!"$J$+$`$ie(B(e$B$&e(B)e$B$G$9!#e(B

In message [ruby-dev:42003] WEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5e(B
(CVE-2010-0541)
on Aug.11,2010 21:34:22, [email protected] wrote:

e$B!!$I$J$?$+!"0J2<$Ne(BWEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5$r$4B8CN$NJ}$O$$$i$C$7$c$$e(B
e$B!!$^$9$+!)e(B

e$B!!e(Bhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541

e$BCQ$:$+$7$J$,$i=i<*$J$s$G$9$,!$$$D!$I$&$d$C$F$3$l$r$*CN$j$Ke(B
e$B$J$j$^$7$?$+e(B?
e$B:9$7;Y$($J$1$l$P65$($F$/$@$5$$!#e(B

e$B!!e(Bsnapshote$B$N%!<%+%$%V$rE83+$7$F$$^$7$?$,>e5-$NJQ99$O2C$($i$l$F$J$$$N$G!"e(B
e$B!!$=$b$=$be(Brubye$BK\BN$K=$@5$NOC$,Mh$F$$$J$$$s$8$c$J$$$+$H;W$C$F%a!<%k$7$F$
$^$7$?!#e(B
e$B!!$3$l$G=$@5FbMF$,==J,$J$N$+!$o$+$kJ}$,$$$i$C$7$c$C$?$i$<$R3NG$7$F$_$F$$$?$@$1e(B
e$B!!$k$H4r$7$$$G$9e(B :slight_smile:

e$B<B:]$K967b2DG=$+$I$&$+$^$G3NG$G$-$F$$$J$$$s$G$9$,!@H<e@-$,e(B
e$B$$j$=$&$@$H$$$&$3$H$H!$3$N=$@5$,$*$=$i$/BEEv$G$$m$&$H$$$&e(B
e$B$3$H$OM}2r$7$^$7$?e(B(e$B$?$V$se(B)e$B!#e(B

e$B$=$l$G$O!#e(B

2010/8/11 Hideki Y. [email protected]:

  •  @header['content-type'] = "text/html; charset=utf-8"
    

    if respond_to?(:create_error_page)
    create_error_page()

snapshote$B$N%!<%+%$%V$rE83+$7$F$$^$7$?$,>e5-$NJQ99$O2C$($i$l$F$J$$$N$G!"e(B
e$B$=$b$=$be(Brubye$BK\BN$K=$@5$NOC$,Mh$F$$$J$$$s$8$c$J$$$+$H;W$C$F%a!<%k$7$F$
$^$7$?!#e(B
e$B$3$l$G=$@5FbMF$,==J,$J$N$+!$o$+$kJ}$,$$$i$C$7$c$C$?$i$<$R3NG$7$F$_$F$$$?$@$1e(B
e$B$k$H4r$7$$$G$9e(B :slight_smile:

CRubye$BB&$X$NO"Mm$OMh$F$$$J$$$s$8$c$J$$$+$H;W$$$^$9!#e(B
e$B$I$&$G$9$+$Me(B > [email protected] e$B$N%a%s%P!<$NJ}!9e(B

e$B>e5-$K$D$J$,$ke(BXSSe$B@H<e@-$H$$$&M}6~$O$o$+$j$^$9$7!"=$@5$b$h$$$H;W$$$^$9!#e(B
e$B$3$N=$@5$K$h$j!Nc30%a%C%;!<%8$KF~$l$F$$$?F|K\8l$,%(%i!<%Z!<%8>e$GJ8;ze(B
e$B2=$1$K$J$k$H$$$&!BgJQIT1?$J?M$b5o$k$+$b$O$7$l$^$;$s$,!$^$%(%i!<%Z!<%8e(B
e$B$4$H<+:n$7$F$b$i$&J}8~$G!#e(B

e$B$?$@!;d$NM}2r$9$k8B$j!85!9$Ne(BWEBricke$B$N%G%U%)%k%H%(%i!<%Z!<%8$K!$=$N$be(B
e$B$N%:%P%j$Je(BXSSe$B$O$J$$$h$&$J5$$,$7$^$9!#Nc30%a%C%;!<%8$de(Bbacktracee$B!Je(B-de$B5/F0$Ne(B
e$B;~$@$1!K$K!e(Battackere$B$,A*$s$@J8;zNs$rF~$l$i$l$k$H$9$k$H!$=$C$A$N$[$&$,e(B
e$BLdBj$N$h$&$J!#$?$@$7!@dBP$J$$!$=$C$A$,0-$$!$H$$$&$3$H$G$O$J$$$N$G!e(B
e$B$$$D$+$O=$@5$7$?$[$&$,$$$$$N$O4V0c$$$$j$^$;$s!#e(B

e$B$$k$$$O!e(BApplee$B$,:n$C$?e(B/e$BG[$C$?%%W%j$,!e(Bcreate_error_page()e$B$rDj5A$7$F$$e(B
e$B$F!$=$A$i$Ke(BXSSe$B$,$$C$?$H$+$J$N$+$b$7$l$^$;$s$M!J40A4$J21B,!K!#e(B

e$B$3$s$K$A$O!"$J$+$`$ie(B(e$B$&e(B)e$B$G$9!#e(B

In message [ruby-dev:42012] Re: WEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5e(B
(CVE-2010-0541)
on Aug.12,2010 15:32:09, [email protected] wrote:

CRubye$BB&$X$NO"Mm$OMh$F$$$J$$$s$8$c$J$$$+$H;W$$$^$9!#e(B
e$B$I$&$G$9$+$Me(B > [email protected] e$B$N%a%s%P!<$NJ}!9e(B

e$B$H$j$"$($:%N!<%3%a%s%H!#e(B

e$B$$k$$$O!e(BApplee$B$,:n$C$?e(B/e$BG[$C$?%%W%j$,!e(Bcreate_error_page()e$B$rDj5A$7$F$$e(B
e$B$F!$=$A$i$Ke(BXSSe$B$,$$C$?$H$+$J$N$+$b$7$l$^$;$s$M!J40A4$J21B,!K!#e(B

e$B:#$N$H$3$m!"$3$N%Q%C%A$=$N$^$^$G$O$J$/$F!e(Bcreate_error_page()
e$BB&$O8+<N$F$Fe(BWEBricke$B<+A0=PNOB&$@$1BP=h$9$kJ}8~$G8!F$$7$?$j$b$7e(B
e$B$F$?$s$G$9$,!$I$&$G$7$g$&$+e(B?
e$B%G%U%)%k%H%(%i!<%Z!<%8$KLdBj$,$J$$$H$J$R$5$s$,9M$($i$l$?M}M3e(B
e$B$r@bL@$7$FD:$1$k$H4r$7$$$G$9!#e(B

create_error_page()e$B$N@h$K7j$,$"$C$?>l9g$Oe(B
e$B<+J,$N<s$r9J$a$?e(B
e$B$$E[$O>!<j$K;`$M$h$H$+;W$&;d$ONd$?$$?Me(B? ^^;

e$B$=$l$G$O!#e(B

2010/8/12 U.Nakamura [email protected]:

e$BB&$O8+<N$F$Fe(BWEBricke$B<+A0=PNOB&$@$1BP=h$9$kJ}8~$G8!F$$7$?$j$b$7e(B
e$B$F$?$s$G$9$,!"$I$&$G$7$g$&$+e(B?
e$B%G%U%)%k%H%(%i!<%Z!<%8$KLdBj$,$J$$$H$J$R$5$s$,9M$($i$l$?M}M3e(B
e$B$r@bL@$7$FD:$1$k$H4r$7$$$G$9!#e(B

HTTPResponse#set_errore$B$N!e(B_end_of_html_e$B%R%%I%-%e%a%s%H$NCf$K!967b<T$,e(B
e$BA^F~$G$-$kJ8;zNs$,$$k$+!"$H$$$&$3$H$r9M$($?$N$G$9$,!"e(B

e$B!&e(B@reason_phrasee$B$O%=!<%9%3!<%ICf$GDj5A!#e(B
e$B!&e(Bex.messagee$B$O!$^$$b$7$+$7$?$i$=$s$J%3!<%I=q$/?M$b5o$k!)e(B
e$B!&e(Bex.backtracee$B$b!$^$@dBP$K$J$$$H$O8@$($J$$$+!#e(B
e$B!&e(B@config[:ServerSoftware]e$B$O%5!<%P@_Dj!#e(B
e$B!&e(Bhoste$B$He(Bporte$B$O!"$=$3$KJ8;zNsKd$a9~$b$&$H$9$k$HL>A02r7h$bC%$o$J$$$H!#e(B

e$B$H$$$&$3$H$G!!V$=$N$b$N%:%P%j$Je(BXSSe$B$O$J$$$h$&$Je(B(e$BN,e(B)e$B$?$@$7!@dBP$Je(B
e$B$$!$=$C$A$,0-$$!$H$$$&$3$H$G$O$J$$!W$HH=CG$7$^$7$?!#$I$&$G$7$g!#e(B

create_error_page()e$B$N@h$K7j$,$"$C$?>l9g$Oe(B e$B<+J,$N<s$r9J$a$?e(B
e$B$$E[$O>!<j$K;`$M$h$H$+;W$&;d$ONd$?$$?Me(B? ^^;

e$B$^$"$G$b!9-$/$*CN$i$;$7$F$$2$?$[$&$,$h$$$G$9$h$M!#=$@5M-L5$OJL$K$7$F!#e(B

e$B$3$s$K$A$O!"$J$+$`$ie(B(e$B$&e(B)e$B$G$9!#e(B

In message [ruby-dev:42014] Re: WEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5e(B
(CVE-2010-0541)
on Aug.12,2010 16:10:13, [email protected] wrote:

e$B!&e(Bhoste$B$He(Bporte$B$O!"$=$3$KJ8;zNsKd$a9~$b$&$H$9$k$HL>A02r7h$bC%$o$J$$$H!#e(B

e$B$H$$$&$3$H$G!!V$=$N$b$N%:%P%j$Je(BXSSe$B$O$J$$$h$&$Je(B(e$BN,e(B)e$B$?$@$7!@dBP$Je(B
e$B$$!$=$C$A$,0-$$!$H$$$&$3$H$G$O$J$$!W$HH=CG$7$^$7$?!#$I$&$G$7$g!#e(B

e$B$J$s$+<a2$K@bK!$N$h$&$J5$$,$7$F$7$^$&$N$G$9$,!"e(BWEBricke$B$Oe(B404 e$B;~$KNc30e(BHTTPStatus::NotFounde$B$rEj$2$F$$$F!"$3$$$D$Ne(Bmessagee$B%a%=e(B e$B%C%I$O;XDj$5$l$?e(BURLe$BCf$Ne(Bpathe$B$r4^$$N$G!"967b<T$O$3$3$KJ8;zNs$re(B
e$BA^F~$G$-$k$H$$$&$3$H$K$J$j$^$9!#e(B
e$B:#2s$N@H<e@-e(B(e$B8uJde(B)e$B$O$=$l$,LdBj$K$J$C$F$k$H;W$&$N$G$9$,e(B(e$B96e(B
e$B7b<jK!$N3NN)$K7R$,$j$+$M$J$$$N$GCfN,e(B)e$BBg>fIW$G$7$g$&$+e(B?

e$B$=$l$G$O!#e(B

2010/8/12 U.Nakamura [email protected]:

e$B!&e(Bhoste$B$He(Bporte$B$O!"$=$3$KJ8;zNsKd$a9~$b$&$H$9$k$HL>A02r7h$bC%$o$J$$$H!#e(B

e$B$H$$$&$3$H$G!!V$=$N$b$N%:%P%j$Je(BXSSe$B$O$J$$$h$&$Je(B(e$BN,e(B)e$B$?$@$7!@dBP$Je(B
e$B$$!$=$C$A$,0-$$!$H$$$&$3$H$G$O$J$$!W$HH=CG$7$^$7$?!#$I$&$G$7$g!#e(B

e$B$J$s$+<a2$K@bK!$N$h$&$J5$$,$7$F$7$^$&$N$G$9$,!"e(BWEBricke$B$Oe(B404 e$B;~$KNc30e(BHTTPStatus::NotFounde$B$rEj$2$F$$$F!"$3$$$D$Ne(Bmessagee$B%a%=e(B e$B%C%I$O;XDj$5$l$?e(BURLe$BCf$Ne(Bpathe$B$r4^$$N$G!"967b<T$O$3$3$KJ8;zNs$re(B
e$BA^F~$G$-$k$H$$$&$3$H$K$J$j$^$9!#e(B

e$B3N$+$K!#9M$($,B-$j$F$$$^$;$s$G$7$?!#e(B
ex.messagee$B$K!"e(BWEBricke$B$,F~$l$F$k$s$G$9$M!#$=$j$cJ,$+$j0W$/$^$:$$$G$9$M!#e(B
e$B@h$N%a!<%k$N21B,$b!"ITI,MW$J%3%a%s%H$G$7$?!#$9$$$^$;$s!#e(B

e$B$H$J$k$H=$@5$O!$$N%Q%C%A$=$N$^$^Ev$F$k$7$+$J$5$=$&$G$9$M!#e(B

On Thu, 12 Aug 2010 16:45:04 +0900
NAKAMURA, Hiroshi [email protected] wrote:

e$B$H$J$k$H=$@5$O!$$N%Q%C%A$=$N$^$^Ev$F$k$7$+$J$5$=$&$G$9$M!#e(B

e$B!!=$@5$7$F$$$?$@$/$K$O!"%H%i%C%+!<$K%A%1%C%HEPO?$9$kJ}$,NI$$$G$7$g$&$+e(B?


Regards,

Hideki Y. henrich @ debian.or.jp/org
HidekiYamane - Debian Wiki

e$B!!$d$^$M$G$9!#e(B

On Thu, 12 Aug 2010 11:26:06 +0900
U.Nakamura [email protected] wrote:

e$B!!$I$J$?$+!"0J2<$Ne(BWEBricke$B$K4X$9$k%;%-%e%j%F%#=$@5$r$4B8CN$NJ}$O$$$i$C$7$c$$e(B
e$B!!$^$9$+!)e(B

e$B!!e(Bhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541

e$BCQ$:$+$7$J$,$i=i<*$J$s$G$9$,!$$$D!$I$&$d$C$F$3$l$r$*CN$j$Ke(B
e$B$J$j$^$7$?$+e(B?
e$B:9$7;Y$($J$1$l$P65$($F$/$@$5$$!#e(B

e$B!!e(BDebian e$B$Ne(B security-tracker
e$B$rD/$a$F$$$?$H$-$K8+$D$1$^$7$?!#e(B
e$B!!e(Bhttp://security-tracker.debian.org/tracker/
e$B!!$3$l$O8x3+:Q$_$Ne(B CVE e$B>pJs!J$H$=$l$KN`$9$k>pJs!K$re(B Debian
e$B$N3F%j%j!<%9$Ge(B
e$B!!BP1~:Q$+$I$&$+$r3NG$G$-$k$b$N$G$9!#e(B

e$B!!e(Bhttp://security-tracker.debian.org/tracker/status/release/unstable
e$B!!$G8=>u$NIT0BDjHG$NBP1~>u67$r3NG$7$F$$$?$H$3$m!e(Bruby1.8/1.9e$B$G$=$l$>$le(B
e$B!!e(BCVEe$B$,$$C$?$N$G!"%a!<%k$7$^$7$?!#e(B


Regards,

Hideki Y. henrich @ debian.or.jp/org
HidekiYamane - Debian Wiki

e$B!!$d$^$M$G$9!#e(B

On Sat, 14 Aug 2010 11:15:29 +0900
Yugui [email protected] wrote:

e$B:#BP1~Cf$G$9$7!"3+<(:Q$_$H$O8@$(!99$K3H;6$9$kI,MW$b$J$$$N$GEPO?$O$7$J$$$[$&$,NI$$$G$7$g$&!#e(B
e$B$$j$,$H$&$4$6$$$^$9!#e(B

e$B!!BP1~D:$$$FM-Fq$&$4$6$$$^$7$?!d3F0Le(B

e$B!!8eF|CL!#e(B
e$B!!$H$3$m$G!$J$s$GO"Mm$,$J$+$C$?$N$+!$J$N$G$9$,O"Mm@h$rD4$Y$F$$$?$H$3$me(B
MacRuby
e$B!!$J$k$b$N$r8+$D$1$F$J$$+$D$3$N@H<e@-$,$=$NEv;~D>$C$F$J$+$C$?$N$Ge(B
twitter e$B$Ge(B
e$B!!e(BMacRuby
e$B$N%"%+%&%s%H$XJ9$$$F$_$?$H$3$m!"Cf$N?M$+$i2sEz$,Mh$?$N$G!"F|5-$K$^$H$a$Fe(B
e$B!!$
$-$^$7$?!#e(B

e$B!!e(Bhttp://d.ma-aya.to/?date=20100829

e$B!!$H$$$&$3$H$G:#8e2?$+e(B Apple e$B$,$i$$G$"$C$?$iH`e(B
([email protected]$B!"e(B@lzre$B!Ke(B
e$B!!$KJ9$$$F$
$k$HNI$$$H;W$$$^$9!#e(B


Regards,

Hideki Y. henrich @ debian.or.jp/org
HidekiYamane - Debian Wiki

2010/9/3 Hideki Y. [email protected]:

http://d.ma-aya.to/?date=20100829

e$B$H$$$&$3$H$G:#8e2?$+e(B Apple e$B$,$i$$G$"$C$?$iH`e(B ([email protected]$B!"e(B@lzre$B!Ke(B
e$B$KJ9$$$F$
$k$HNI$$$H;W$$$^$9!#e(B

e$B$"$j$,$H$&$4$6$$$^$9!#e(B

2010/8/14 Hideki Y. [email protected]:

On Thu, 12 Aug 2010 16:45:04 +0900
NAKAMURA, Hiroshi [email protected] wrote:

e$B$H$J$k$H=$@5$O!$$N%Q%C%A$=$N$^$^Ev$F$k$7$+$J$5$=$&$G$9$M!#e(B

e$B=$@5$7$F$$$?$@$/$K$O!"%H%i%C%+!<$K%A%1%C%HEPO?$9$kJ}$,NI$$$G$7$g$&$+e(B?

e$B:#BP1~Cf$G$9$7!"3+<(:Q$_$H$O8@$(!99$K3H;6$9$kI,MW$b$J$$$N$GEPO?$O$7$J$$$[$&$,NI$$$G$7$g$&!#e(B
e$B$$j$,$H$&$4$6$$$^$9!#e(B