Ruby Weekly is a weekly newsletter covering the latest Ruby and Rails news.

New DoS Vulnerability Found in Ruby’s cgi.rb

By Peter Cooper / December 5, 2006


The official Ruby language homepage is reporting that another DoS vulnerability has been found in Ruby's CGI library (cgi.rb). The solution is to upgrade to the newly released Ruby 1.8.5-p2 (warning: direct link to .tar.gz file). Specifically:

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.

(source: ozmm)


  1. Paul Battley says:

    It looks like another MIME-parsing bug, just like the last one. The Japanese disclosure page just says that a DoS is possible by sending a carefully-crafted request, so I looked at the code: the only change in 1.8.5-p2 is that the MIME boundary read from the header is now escaped before being interpolated into the boundary-matching regular expression. Previously, the header was interpolated directly.

    I've been trying to recreate the error, but I haven't succeeded so far. I can't find any details about 1.8.5-p2 on any of the English or Japanese mailing lists, either.

  2. Peter Cooper says:

    I couldn't make hide nor hair of it, to be honest, so I am glad there are people who are looking into it in more depth :) I'm just trusting the official Ruby site.

    I did think that Japanese graphic was pretty cool though..!

  3. Jon Leighton says:

    I think this is the same as this?

    Talk about slow response time?

  4. Paul Battley says:

    Jon, that's a separate issue that's fixed by a previous patch.

    This is a new, related vulnerability, with a different patch.

  5. Jon Leighton says:

    But the two patches ([1] and [2]), as far as I can tell, modify exactly the same line in exactly the same way?


  6. Peter Cooper says:

    Jon: Yeah, like Paul says, I think this is a separate issue. On the official Ruby site, at least, they say it's not the same as the Oct/Nov issue. I think this might be why it's at 1.8.5-p2, since p1 probably solved the initial one.

    Seems like cgi.rb could do with a nice audit :)

  7. Peter Cooper says:

    Jon: Oops.. my response just above was made before I saw and moderated your 7:01pm comment :) Interesting find! I must confess I have not downloaded the latest version to check it out, but it does say this:

    Please note that the previous patch (>) does not fix this problem.

  8. Paul Battley says:

    OK, let's clear up the confusion! There are now three versions of Ruby 1.8.5:

    * 1.8.5
    * 1.8.5 + ruby-1.8.5-cgi-dos-1.patch (we could call this 1.8.5-p1)
    * 1.8.5-p2

    Jon's links 1 and 2 are indeed the same patch for the same flaw. This new one is different, though.

    If you download 1.8.5, apply the first patch, and then diff cgi.rb against that from 1.8.5-p2, you'll see three further lines of changes[1].


  9. Peter Cooper says:

    Thanks Paul, just what we needed :)

  10. Jon Leighton says:

    Paul: Ahah, thanks very much for clearing that up.

Other Posts to Enjoy

Twitter Mentions