FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- arbitrary command execution on XMLRPC server

Affected packages
1.8.* < ruby < 1.8.2_3
1.8.* < ruby_static < 1.8.2_3

Details

VuXML ID 594eb447-e398-11d9-a8bd-000cf18bbe54
Discovery 2005-06-22
Entry 2005-06-23
Modified 2005-11-06

Nobuhiro IMAI reports:

the default value modification on Module#public_instance_methods (from false to true) breaks s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style security protection.

This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby.

References

CVE Name CVE-2005-1992
URL http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064