Date: Fri, 1 Jul 2005 07:56:14 -0300 (BRST) From: Renato Botelho <freebsd@galle.com.br> To: FreeBSD-gnats-submit@FreeBSD.org Cc: knu@FreeBSD.org Subject: ports/82855: [PATCH] lang/ruby: Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server Message-ID: <200507011056.j61AuE1h047690@data.galle.com.br> Resent-Message-ID: <200507011100.j61B0dmO081671@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 82855 >Category: ports >Synopsis: [PATCH] lang/ruby: Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jul 01 11:00:38 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Renato Botelho >Release: FreeBSD 5.4-RELEASE-p3 i386 >Organization: Galle Folheados - http://www.galle.com.br >Environment: System: FreeBSD data.galle.com.br 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #2: Thu Jun 30 10:57:16 BRST 2005 >Description: - Fix CAN-2005-1992 - arbitrary command execution on XMLRPC server Obtained from: ruby CVS Added file(s): - files/patch-lib_xmlrpc_utils.rb Port maintainer (knu@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- ruby-1.8.2_4.patch begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/lang/ruby18/Makefile,v retrieving revision 1.85 diff -u -r1.85 Makefile --- Makefile 25 Feb 2005 00:17:27 -0000 1.85 +++ Makefile 1 Jul 2005 10:49:52 -0000 @@ -7,7 +7,7 @@ PORTNAME= ruby PORTVERSION= ${RUBY_PORTVERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= lang ruby ipv6 MASTER_SITES= ${MASTER_SITE_RUBY} MASTER_SITE_SUBDIR= ${MASTER_SITE_SUBDIR_RUBY} Index: files/patch-lib_xmlrpc_utils.rb =================================================================== RCS file: files/patch-lib_xmlrpc_utils.rb diff -N files/patch-lib_xmlrpc_utils.rb --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-lib_xmlrpc_utils.rb 1 Jul 2005 10:49:52 -0000 @@ -0,0 +1,11 @@ +--- lib/xmlrpc/utils.rb.orig Fri Jul 1 07:38:00 2005 ++++ lib/xmlrpc/utils.rb Fri Jul 1 07:38:55 2005 +@@ -138,7 +138,7 @@ + + def get_methods(obj, delim=".") + prefix = @prefix + delim +- obj.class.public_instance_methods.collect { |name| ++ obj.class.public_instance_methods(false).collect { |name| + [prefix + name, obj.method(name).to_proc, nil, nil] + } + end --- ruby-1.8.2_4.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507011056.j61AuE1h047690>