漏洞信息详情

Yukihiro Matsumoto Ruby CGI会话管理不安全文件许可漏洞

• CNNVD编号：CNNVD-200410-076
• 危害等级： 低危
  
• CVE编号： CVE-2004-0755
• 漏洞类型： 设计错误
• 发布时间： 2004-10-20
• 威胁类型： 本地
• 更新时间： 2005-10-20
• 厂        商： yukihiro_matsumoto
• 漏洞来源： Discovery is credi...

漏洞简介

Ruby 1.8.1之前版本以及Pstore可能的版本的CGI：：Session中的FileStore性能创建带有不安全许可的文件，本地用户可以窃取会话信息和劫持会话。

漏洞公告

The current 1.6 version of Ruby and versions 1.8.1 and 1.8.2 pre1 and 1.8.2 pre2 are not affected by this issue. This information is not confirmed at the moment. Red Hat has released an advisory (FEDORA-2004-264) to address this issue in Fedora Core 2. Please see the referenced advisory for more information. Red Hat has released advisory RHSA-2004:441-18 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers that are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information. Debian has released an advisory to address this issue. Please see the referenced advisory for more information. Gentoo has released an advisory (GLSA 200409-08) and an updated eBuild to address this issue. Please see the referenced advisory to more information. Gentoo users can carry out the following commands to update their computers: emerge sync emerge -pv ">=dev-lang/ruby-your_version" emerge ">=dev-lang/ruby-your_version" Mandrake has released advisory MDKSA-2004:128 along with fixes to address this issue. Please see the referenced advisory for further information. RedHat Fedora Linux has released advisory FEDORA-2004-403 along with fixes for their Fedora Core 3 product. Please see the referenced advisory for more information. Turbolinux has released advisory Turbolinux Security Announcement 31/Jan/2005 to address various issues. Please see the referenced advisory for more information. The Fedora Legacy project has released advisory FLSA:152768 to address this issue in RedHat Linux 7.3, 9, and Fedora Core 1. Please see the referenced advisory for further information. Yukihiro Matsumoto Ruby 1.6

• RedHat irb-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/irb-1.6.7-5.l egacy.i386.rpm
• RedHat irb-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/irb-1.6.8-6.2.l egacy.i386.rpm
• RedHat ruby-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-1.6.7-5. legacy.i386.rpm
• RedHat ruby-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-1.6.8-6.2. legacy.i386.rpm
• RedHat ruby-devel-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-devel-1. 6.7-5.legacy.i386.rpm
• RedHat ruby-devel-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-devel-1.6. 8-6.2.legacy.i386.rpm
• RedHat ruby-docs-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-docs-1.6 .7-5.legacy.i386.rpm
• RedHat ruby-docs-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-docs-1.6.8 -6.2.legacy.i386.rpm
• RedHat ruby-libs-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-libs-1.6 .7-5.legacy.i386.rpm
• RedHat ruby-libs-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-libs-1.6.8 -6.2.legacy.i386.rpm
• RedHat ruby-mode-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-1.6 .7-5.legacy.i386.rpm
• RedHat ruby-mode-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-mode-1.6.8 -6.2.legacy.i386.rpm
• RedHat ruby-mode-xemacs-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-xem acs-1.6.7-5.legacy.i386.rpm
• RedHat ruby-tcltk-1.6.7-5.legacy.i386.rpmRedHat Linux 7.3 http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-tcltk-1. 6.7-5.legacy.i386.rpm
• RedHat ruby-tcltk-1.6.8-6.2.legacy.i386.rpmRedHat Linux 9.0 http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-tcltk-1.6. 8-6.2.legacy.i386.rpm

• Fedora irb-1.8.1-6.i386.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora irb-1.8.1-6.x86_64.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-1.8.1-6.i386.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-1.8.1-6.x86_64.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-debuginfo-1.8.1-6.i386.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-debuginfo-1.8.1-6.x86_64.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-devel-1.8.1-6.i386.rpmRedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
• Fedora ruby-devel-1.8.1-6.x86_64.rpmRedHat Fedora Core 2 ht

参考网址

来源: XF 名称: ruby-filestore-pstore-insecure-permission(16996) 链接:http://xforce.iss.net/xforce/xfdb/16996 来源: GENTOO 名称: GLSA-200409-08 链接:http://www.gentoo.org/security/en/glsa/glsa-200409-08.xml 来源: DEBIAN 名称: DSA-537 链接:http://www.debian.org/security/2004/dsa-537 来源: SECUNIA 名称: 12290 链接:http://secunia.com/advisories/12290/ 来源: OVAL 名称: oval:org.mitre.oval:def:11128 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11128 来源: MANDRAKE 名称: MDKSA-2004:128 链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:128

受影响实体

• Yukihiro_matsumoto Ruby:1.6  
• Yukihiro_matsumoto Ruby:1.8  

补丁

暂无