[Security] Ruby 1.9.1-p429 is out

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Ruby 1.9.1-p429 has just been released. This is a patchlevel release for
Ruby 1.9.1. This fixes many bugs and includes the fix for a security
vulnerability that allows an attacker to execute an arbitrary code.

See http://svn.ruby-lang.org/repos/ruby/tags/v1_9_1_429/ChangeLog for
other fixes.

== Vunerability
A security vulnerability that causes buffer overflow when you assign a
danger value to ARGF.inplace_mode on Windows. It possibly allows an
attacker to execute an arbitrary code.

The affected versions are:

• Ruby 1.9.1 patchlevel 378 and all prior versions.
• Ruby 1.9.2 preview 3 and all prior versions.
• Development versions of Ruby 1.9 (1.9.3dev).
  I recommend you to upgrade your ruby 1.9 to 1.9.1-p429 or
  1.9.2-preview3.

The vulnerability does not directly affect to Ruby 1.8 series.

=== Credit
The vulnerability was found and reported by Masaya TARUI.

== Location

• http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p429.tar.bz2
  SIZE: 7300923 bytes
  MD5: 09df32ae51b6337f7a2e3b1909b26213
  SHA256:
  e0b9471d77354628a8041068f45734eb2d99f5b5df08fe5a76d785d989a47bfb

• http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p429.tar.gz
  SIZE: 9078126 bytes
  MD5: 0f6d7630f26042e00bc59875755cf879
  SHA256:
  fdd97f52873b70f378ac73c76a1b2778e210582ce5fe1e1c241c37bd906b43b2

• http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p429.zip
  SIZE: 10347659 bytes
  MD5: fcd031414e5e4534f97aa195bb586d6c
  SHA256:
  c9fe2364b477ad004030f4feeb89aeaa2a01675ff95db1bed31a932806f85680

• – Yuki S. (Yugui) [email protected]
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.10 (Darwin)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwtxikACgkQOXzH5JLb/AWOawCfd1iGdmbzhcxwXfEwSSF0GQl5
8IwAnjaOe4zU/E0qYTixgxOT7zD026OH
=Xqbg
-----END PGP SIGNATURE-----

(2010/07/02 19:57), Yuki S. (Yugui) wrote:

The vulnerability does not directly affect to Ruby 1.8 series.

Let me tell you a bit more about it. This bug does exist on 1.8, but it
lacks
ARGF.inplace_mode. So an attacker should instead utilize ruby’s -i
option
like this:
ruby.exe -i? VULNERABLE.rb %VICTIMPATH%

Of course this means the attacker has not only gained privileges to
write
files but are also able to spawn arbitrary process; which means the
system
has already been cracked.

So we don’t think 1.8 situation itself is a security issue. We are
handling
this as a normal bug.

Yuki S. (Yugui):

The affected versions are:

• Ruby 1.9.1 patchlevel 378 and all prior versions.
• Ruby 1.9.2 preview 3 and all prior versions.
• Development versions of Ruby 1.9 (1.9.3dev).
  I recommend you to upgrade your ruby 1.9 to 1.9.1-p429 or 1.9.2-preview3.

Given that 1.9.2-preview3 is vulnerable,
should the last recommendation say 1.9.2-RC1?

— Piotr S.