All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we’re in a race with the bad guys to deliver a
solution.
Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?
Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?
Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to help with this effort?
All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and
RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22,
and 1.9.0-2.
FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I’ve certainly not had any problems with my Rails apps with it.
Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at FreshPorts -- lang/ruby18: An object-oriented interpreted scripting language but can’t get it to give me code.
Thanks for the assistance. That FreeBSD web site’s UI sucks. Their “Get
diffs” button is broken and always returns nothing. To get a diff on a
file, one must click the “text” next to the revision number.
FreeBSD’s backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) – but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed S. identifies about a dozen files potentially
involved in the fix at http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.
I’ve sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.
FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I’ve certainly not had any problems with my Rails apps with it.
Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?
If we can create a patch against the official 1.8.6p111 source code, we
can distribute that as a temporary solution until there’s an official
fix. That’d be great.
However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?
Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at FreshPorts -- lang/ruby18: An object-oriented interpreted scripting language but can’t get it to give me code.
For example, if I scroll down, locate the first change set, click the
misleading MS Notepad icon, scroll down, click on any of the listed
files, scroll down, tell it to do diff, it just returns a zero-length
file. Thoughts?
On Mon, 23 Jun 2008 19:20:00 +0900
Igal K. [email protected] mentioned:
Thanks for the assistance. That FreeBSD web site’s UI sucks. Their “Get
diffs” button is broken and always returns nothing. To get a diff on a
file, one must click the “text” next to the revision number.
You rocks! The file you trying to get has only a single revision, and
you obviously requesting the diff between the 1.1 and 1.1 version -
that’s
empty of course. It’s better to look at the text fields before pressing
the button and claiming it doesn’t work - isn’t it?
We at Phusion have just released Ruby Enterprise Edition (pardon the
name 1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes
the relevant security patches backported. Details here:
The relevant patch is available at: http://tinyurl.com/5b493c
It’s based on the FreeBSD patch set. Thanks FreeBSD.
Can you prove that the port is still vulnerable?
No, I only know C well enough to tell that your patch didn’t seem to
match up with what was described elsewhere.
It’s better to look at the text fields before pressing
the button and claiming it doesn’t work - isn’t it?
I did. The text fields read “1.1” and “1.2”. These fields are wrong, the
first should be something like “1.0” or “initial”, and the second should
be “1.1”. Setting the first field to “1.0” fails because this is a
forbidden field in your version control system, and version “1.2”
doesn’t exist. I see no way to get a diff by clicking the “Get diffs”
button, therefore it doesn’t work. Either don’t show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn’t get confused.
On Mon, 23 Jun 2008 20:30:10 +0900
Fred C. [email protected] mentioned:
Guys
I need some tutorial on Ruby. It seems to be very
interesting package. advise what do i do so that i
become an expert? am already good at MS Access,
FrontPage, DreamWeaver and a bit of DotNetNuke.
Try to get one of best ruby books: The Ruby Way,
Pragmatic Programmers’ “The Ruby Language” and
other.
There’re also a lot of tutorials on the web
available.
The relevant patch is available at: http://tinyurl.com/5b493c
Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I’ve seen, but isn’t it missing the fixes to things like eval.c, file.c
and bignum.c?
It’s based on the FreeBSD patch set.
As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn’t seem to. However, I feel
like I don’t understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that’d be great.
-igal
PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.
I did. The text fields read “1.1” and “1.2”. These fields are wrong, the
first should be something like “1.0” or “initial”, and the second should
be “1.1”. Setting the first field to “1.0” fails because this is a
forbidden field in your version control system, and version “1.2”
doesn’t exist. I see no way to get a diff by clicking the “Get diffs”
button, therefore it doesn’t work. Either don’t show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn’t get confused.
The GUI only reflects what CVS has. The file is question is of 1.1
revision (first in CVS) and you obvously can’t get a diff between
nothing and first. CVS tracks only files, not the entire repository.
1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes