ports/82855: [PATCH] lang/ruby: Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server

Renato Botelho freebsd at galle.com.br
Fri Jul 1 11:00:40 UTC 2005 

>Number:         82855
>Category:       ports
>Synopsis:       [PATCH] lang/ruby: Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 01 11:00:38 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Renato Botelho
>Release:        FreeBSD 5.4-RELEASE-p3 i386
>Organization:
Galle Folheados - http://www.galle.com.br
>Environment:
System: FreeBSD data.galle.com.br 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #2: Thu Jun 30 10:57:16 BRST 2005
>Description:
- Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server

Obtained from: ruby CVS

Added file(s):
- files/patch-lib_xmlrpc_utils.rb

Port maintainer (knu at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.63
>How-To-Repeat:
>Fix:

--- ruby-1.8.2_4.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/lang/ruby18/Makefile,v
retrieving revision 1.85
diff -u -r1.85 Makefile
--- Makefile	25 Feb 2005 00:17:27 -0000	1.85
+++ Makefile	1 Jul 2005 10:49:52 -0000
@@ -7,7 +7,7 @@
 
 PORTNAME=	ruby
 PORTVERSION=	${RUBY_PORTVERSION}
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	lang ruby ipv6
 MASTER_SITES=		${MASTER_SITE_RUBY}
 MASTER_SITE_SUBDIR=	${MASTER_SITE_SUBDIR_RUBY}
Index: files/patch-lib_xmlrpc_utils.rb
===================================================================
RCS file: files/patch-lib_xmlrpc_utils.rb
diff -N files/patch-lib_xmlrpc_utils.rb
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-lib_xmlrpc_utils.rb	1 Jul 2005 10:49:52 -0000
@@ -0,0 +1,11 @@
+--- lib/xmlrpc/utils.rb.orig	Fri Jul  1 07:38:00 2005
++++ lib/xmlrpc/utils.rb	Fri Jul  1 07:38:55 2005
+@@ -138,7 +138,7 @@
+ 
+     def get_methods(obj, delim=".")
+       prefix = @prefix + delim
+-      obj.class.public_instance_methods.collect { |name|
++      obj.class.public_instance_methods(false).collect { |name|
+         [prefix + name, obj.method(name).to_proc, nil, nil] 
+       }
+     end
--- ruby-1.8.2_4.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list