[Ruby 1.8 - Bug #199] (Open) Possible patches for critical segfaults and vulnerabilities available f

e$B%A%1%C%He(B #199 e$B$,Js9p$5$l$^$7$?!#e(B (by Anonymous)


Bug #199: Possible patches for critical segfaults and vulnerabilities
available for review in ruby-talk
http://redmine.ruby-lang.org/issues/show/199

e$B5/I<<Te(B: Anonymous
e$B%9%F!<%?%9e(B: Open
e$BM%@hEYe(B: Immediate
e$BC4Ev<Te(B:
e$B%+%F%4%je(B:
Target version:

All currently available official versions of MRI Ruby are either
vulnerable, failing with segmentation faults, or change the API in ways
that make it impossible to run critical Ruby libraries such as Rails 2.0
and RSpec.

There are currently two unofficial patches submitted by ruby-talk
members that seem to fix these problems:

One is a backport of fixes to 1.8.6p111 by Stanislav S. and Hongli
Lai. The other is a fix to 1.8.6p230 by Smartleaf which reverts a recent
patch that’s causing segmentation faults. I’ve attached these files to
this ticket.

I’ve personally confirmed that both of these work as well as the stock
1.8.6p111 in running the Rails 2.0, RSpec 1.1.4, and RubySpec test
suites. However, I do not understand the C patches well enough to be
able to help with them myself.

Can one of the Ruby maintainers please review these patches and join in
the discussion at ruby-talk or the online thread at
Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix) - Ruby - Ruby-Forum ?

Thank you!

-igal

e$B%A%1%C%He(B #199 e$B$,99?7$5$l$^$7$?!#e(B (by Anonymous)

I’d really like to hear from the core team about this issue as well. We
have thousands of ruby1.8.6p114 installs that we cannot update to the
official releases since they all segfault. For now we are using the
http://redmine.ruby-lang.org/attachments/download/11 patch against p114
and it seems to work fine for all intents and purposes. But it would
really re-assure us if the ruby-core could respond and bless one of
these patches or tell us what is wrong with them if there are issues.

Thanks
-Ezra Z.

http://redmine.ruby-lang.org/issues/show/199

e$B%A%1%C%He(B #199 e$B$,99?7$5$l$^$7$?!#e(B (by Igal K.)

e$B%U%!%$%ke(B wrapper.sh e$BDI2Ce(B
e$B%U%!%$%ke(B logs.tar.gz e$BDI2Ce(B

Urabe S. wrote:

Sorry for a late reply but I think I’ve fixed this issue. Can someone
please try the latest ruby_1_8_6 branch?
I’m delighted to hear from you!

I’ve checked out the latest source code and ran the test suites of
RubySpec, Rails and RSpec on it. The segfaults are gone and I’m able to
run Rails applications again. However, many tests are failing in a way
that indicates there are either bugs or changes in the API which cause
p238 to behave differently than p111.

I’ve updated the RedMine ticket
[http://redmine.ruby-lang.org/issues/show/199] and uploaded the
following files:

  1. wrapper.sh – Sample commands I’m running to build Ruby and execute
    the test suites
  2. logs.tar.gz – The test suite logs for the various programs

In the logs, the “p111.log” files were created with Ubuntu 8.04’s
patched Ruby 1.8.6p111, while the “17630.log” files were created with
SVN r17630. The best way to work with these log files is to use a modern
diff program like “gvimdiff” or “meld” which can detect intra-line
changes (a few characters changed within a line), and visually compare
them side-by-side. Note that a number of tests fail on both, this is
unfortunately normal. What’s important is that the same tests pass and
fail on both versions. I’ll try to make sense of the changes and errors
after I get some sleep.

Because the lastest SVN version seems to introduce API changes, trying
to fix it may be time consuming and stressful.

I urge you to consider reviewing the submitted unofficial patches and
make a new release based on a well-known stable version of the code,
such as p111 or p114.

Thank you!

-igal

http://redmine.ruby-lang.org/issues/show/199

e$B%A%1%C%He(B #199 e$B$,99?7$5$l$^$7$?!#e(B (by Igal K.)

e$B%U%!%$%ke(B logs2.tar.gz e$BDI2Ce(B

I’ve re-run the test suites, along with some additional ones, against
Ruby 1.8.6 SVN 17631 and the results seem promising.

The RubySpec team’s been working hard to revise their specs and
eliminated the false positives I reported last time. Many thanks to
Federico B., Vladimir S., Arthur Schreiber, Tanaka A., and
others for the timely effort.

Here are the test suites and their results:

RubySpec [Wed Jul 2 11:27:11 2008 -0500]

  • Module#remove_method fails
  • String#% failures
  • Iconv has many, many failures

Rails 1.2.6

  • Fine!

Rails 2.0.2

  • Fine!

Rails 2.1.0

  • Fine!

Rails tip

  • Hundreds of tests seem to be skipped, haven’t figured out why.

RSpec 1.1.4

  • Fine. Although it fails the ‘identical HTML’ spec, that spec is flaky
    and shouldn’t count.

-igal

http://redmine.ruby-lang.org/issues/show/199

e$B%A%1%C%He(B #199 e$B$,99?7$5$l$^$7$?!#e(B (by Nobuyoshi N.)

e$B%9%F!<%?%9e(B Opene$B$+$ie(BClosede$B$KJQ99e(B
e$B?JD=e(B % 0e$B$+$ie(B100e$B$KJQ99e(B

Merged to 1.8.6 branch in the repository, at r17630.

http://redmine.ruby-lang.org/issues/show/199