Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

#1

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.zip

And checksums:
MD5(ruby-1.8.7-p22.tar.gz)= fc3ede83a98f48d8cb6de2145f680ef2
SHA256(ruby-1.8.7-p22.tar.gz)=
d2e4e6a9f170066846304797d39e8f388edb06206b40c9ef5ec2d657ff22c072
SIZE(ruby-1.8.7-p22.tar.gz)= 4799242

MD5(ruby-1.8.7-p22.tar.bz2)= 2d57acee0d80531e14ec0f6826a1f9fb
SHA256(ruby-1.8.7-p22.tar.bz2)=
477968408e27d067ef56f552d7fc2a9e6f5cae2d1a72f17cd838ebf5e0d30149
SIZE(ruby-1.8.7-p22.tar.bz2)= 4121532

MD5(ruby-1.8.7-p22.zip)= 978ac396582a071f8df84913f40612f1
SHA256(ruby-1.8.7-p22.zip)=
eb4de293a3e8ec0d4e277a839a5018b8bcebfde06d151cea1fd5cd1ad3631c2f
SIZE(ruby-1.8.7-p22.zip)= 5849764

MD5(ruby-1.8.6-p230.tar.gz)= 5e8247e39be2dc3c1a755579c340857f
SHA256(ruby-1.8.6-p230.tar.gz)=
7f22b603aadc247a513ac72e479609435d7d9b6542a250db2a28a70b77cda7c9
SIZE(ruby-1.8.6-p230.tar.gz)= 4583204

MD5(ruby-1.8.6-p230.tar.bz2)= 3eceb42d4fc56398676c20a49ac7e044
SHA256(ruby-1.8.6-p230.tar.bz2)=
603708301fc3fd7ef1c47bb4a24d7799c26e28db08d69cda240adcbdbff514d7
SIZE(ruby-1.8.6-p230.tar.bz2)= 3948498

MD5(ruby-1.8.6-p230.zip)= 7a392262e2777d352bd4af197916146e
SHA256(ruby-1.8.6-p230.zip)=
311d9a7e97fd8419a8056a4971e957d99dd6a986496119b40731035472e8e8dd
SIZE(ruby-1.8.6-p230.zip)= 5599077

MD5(ruby-1.8.5-p231.tar.gz)= e900cf225d55414bffe878f00a85807c
SHA256(ruby-1.8.5-p231.tar.gz)=
9091ee606c89ebd94b3ced9a6c1bba8e56a8e5807091c14e81798690cb7e76ca
SIZE(ruby-1.8.5-p231.tar.gz)= 4519838

MD5(ruby-1.8.5-p231.tar.bz2)= 327f5aa6573787432222e96195cffd1e
SHA256(ruby-1.8.5-p231.tar.bz2)=
b31a8db0a3b538c28bca1c9b08a07eb55a39547fdaad00c045f073851019639c
SIZE(ruby-1.8.5-p231.tar.bz2)= 3890561

MD5(ruby-1.8.5-p231.zip)= 14236e90cd419faa3c51e972485f44f6
SHA256(ruby-1.8.5-p231.zip)=
28e1b6d86720f3932a24fbebbec7fbcb474c494604a909a440689cdf9484e017
SIZE(ruby-1.8.5-p231.zip)= 5527843

#2

Urabe S. wrote:

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

Best Regards,
Joachim G.

#3

On Sat, Jun 21, 2008 at 4:47 PM, Joachim G. removed_email_address@domain.invalid
wrote:

vulnerabilities?

How severe is it? Which calls, libraries are involved?

check patches?

#4

Urabe S. wrote:

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

“Detailed”?

#5

The new 1.8.6 release does not appear to work with Rails (2.0.2 in our
case). See several reports of errors or segfaults here:

http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

So a large portion of the Ruby world will remain unpatched until
ruby-core turns another release… :frowning:

#6

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we’re in a race with the bad guys to deliver a
solution.

Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?

Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?

Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to help with this effort?

Thank you.

-igal

#7

When will the binaries for the latest 1.8.7 patchlevel be available for
Windows users?

Maybe I’m looking in the wrong place, but they aren’t here:
ftp://ftp.ruby-lang.org/pub/ruby/binaries/mswin32.

If that is the right place, then is there some reason for the delay in
publishing them?

#8
  • Igal K. (removed_email_address@domain.invalid) wrote:

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and
RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22,
and 1.9.0-2.

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I’ve certainly not had any problems with my Rails apps with it.

#9

In article removed_email_address@domain.invalid,
Igal K. removed_email_address@domain.invalid wrote:

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
http://www.freshports.org/lang/ruby18/ but can’t get it to give me code.

Try this instead:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

#10

Ollivier R. wrote:

Try this instead:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

Thanks for the assistance. That FreeBSD web site’s UI sucks. Their “Get
diffs” button is broken and always returns nothing. To get a diff on a
file, one must click the “text” next to the revision number.

FreeBSD’s backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) – but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed S. identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.

I’ve sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.

-igal

#11

On Mon, 23 Jun 2008 19:20:00 +0900
Igal K. removed_email_address@domain.invalid mentioned:

string.c) – but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed S. identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

You’re not fully correct. All the relevant changes were in array.c
and string.c sources, I’ve backported both.

I’m not aware of other security problems in the code.

I’ll check the link later.

#12

Thomas H. wrote:

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I’ve certainly not had any problems with my Rails apps with it.

Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?

If we can create a patch against the official 1.8.6p111 source code, we
can distribute that as a temporary solution until there’s an official
fix. That’d be great.

However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
http://www.freshports.org/lang/ruby18/ but can’t get it to give me code.
For example, if I scroll down, locate the first change set, click the
misleading MS Notepad icon, scroll down, click on any of the listed
files, scroll down, tell it to do diff, it just returns a zero-length
file. Thoughts?

-igal

#13

hi Fred,
You can refer to these,
http://www.digitalmediaminute.com/article/1816/top-ruby-on-rails-tutorials
http://www.maxkiesler.com/index.php/weblog/comments/learning_ruby_a_guide_to_online_tutorials_examples_and_downloads/
http://soylentfoo.jnewland.com/articles/2005/08/05/learning-ruby-on-rails

On Mon, Jun 23, 2008 at 4:59 PM, Fred C. removed_email_address@domain.invalid
wrote:

Thanks and Regards
Saurabh P.
+91-9922907342
skype: sorab_pune
yahoo & gtalk: saurabh.purnaye
msn: removed_email_address@domain.invalid

#14

On Mon, 23 Jun 2008 19:20:00 +0900
Igal K. removed_email_address@domain.invalid mentioned:

Thanks for the assistance. That FreeBSD web site’s UI sucks. Their “Get
diffs” button is broken and always returns nothing. To get a diff on a
file, one must click the “text” next to the revision number.

You rocks! The file you trying to get has only a single revision, and
you obviously requesting the diff between the 1.1 and 1.1 version -
that’s
empty of course. It’s better to look at the text fields before pressing
the button and claiming it doesn’t work - isn’t it?

#15

http://www.ruby-doc.org/

#16

Hi guys. Igal invited me to join this discussion.

We at Phusion have just released Ruby Enterprise Edition (pardon the
name :wink: 1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes
the relevant security patches backported. Details here:
http://tinyurl.com/5bmgtp

The relevant patch is available at: http://tinyurl.com/5b493c
It’s based on the FreeBSD patch set. Thanks FreeBSD. :slight_smile:

#17

Stanislav S. wrote:

All the relevant changes were in array.cand string.c sources, I’ve backported both.
According to
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/ you only
patched sprintf.c and string.c but not array.c, which was specifically
mentioned in the changelog as having a vulnerability. Furthermore, Zed
Shaw mentioned many other files that seemed affected by security fixes
at http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Can you prove that the port is still vulnerable?
No, I only know C well enough to tell that your patch didn’t seem to
match up with what was described elsewhere.

It’s better to look at the text fields before pressing
the button and claiming it doesn’t work - isn’t it?
I did. The text fields read “1.1” and “1.2”. These fields are wrong, the
first should be something like “1.0” or “initial”, and the second should
be “1.1”. Setting the first field to “1.0” fails because this is a
forbidden field in your version control system, and version “1.2”
doesn’t exist. I see no way to get a diff by clicking the “Get diffs”
button, therefore it doesn’t work. Either don’t show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn’t get confused.

-igal

#18

On Mon, 23 Jun 2008 20:30:10 +0900
Fred C. removed_email_address@domain.invalid mentioned:

Guys

I need some tutorial on Ruby. It seems to be very
interesting package. advise what do i do so that i
become an expert? am already good at MS Access,
FrontPage, DreamWeaver and a bit of DotNetNuke.

Try to get one of best ruby books: The Ruby Way,
Pragmatic Programmers’ “The Ruby Language” and
other.

There’re also a lot of tutorials on the web
available.

#19

Hongli L. wrote:

The relevant patch is available at: http://tinyurl.com/5b493c
Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I’ve seen, but isn’t it missing the fixes to things like eval.c, file.c
and bignum.c?

It’s based on the FreeBSD patch set.
As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn’t seem to. However, I feel
like I don’t understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that’d be great.

-igal

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.

#20

On Mon, 23 Jun 2008 21:23:01 +0900
Igal K. removed_email_address@domain.invalid mentioned:

Stanislav S. wrote:

All the relevant changes were in array.cand string.c sources, I’ve backported both.
According to
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/ you only
patched sprintf.c and string.c but not array.c, which was specifically
mentioned in the changelog as having a vulnerability. Furthermore, Zed
Shaw mentioned many other files that seemed affected by security fixes
at http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

All the files you see at this dir are applied to ruby during packages
building and port install. The fresh ones are array.c and string.c.
sprintf.c patch is required for correct string.c operation as it
adds the required function backported from 1.9.
The file in question is availble at
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/patch-array.c?rev=1.1;content-type=text%2Fplain

I did. The text fields read “1.1” and “1.2”. These fields are wrong, the
first should be something like “1.0” or “initial”, and the second should
be “1.1”. Setting the first field to “1.0” fails because this is a
forbidden field in your version control system, and version “1.2”
doesn’t exist. I see no way to get a diff by clicking the “Get diffs”
button, therefore it doesn’t work. Either don’t show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn’t get confused.

The GUI only reflects what CVS has. The file is question is of 1.1
revision (first in CVS) and you obvously can’t get a diff between
nothing and first. CVS tracks only files, not the entire repository.