Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

[Urabe Shyouhei]

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.zip


And checksums:
MD5(ruby-1.8.7-p22.tar.gz)= fc3ede83a98f48d8cb6de2145f680ef2
SHA256(ruby-1.8.7-p22.tar.gz)= d2e4e6a9f170066846304797d39e8f388edb06206b40c9ef5ec2d657ff22c072
SIZE(ruby-1.8.7-p22.tar.gz)= 4799242

MD5(ruby-1.8.7-p22.tar.bz2)= 2d57acee0d80531e14ec0f6826a1f9fb
SHA256(ruby-1.8.7-p22.tar.bz2)= 477968408e27d067ef56f552d7fc2a9e6f5cae2d1a72f17cd838ebf5e0d30149
SIZE(ruby-1.8.7-p22.tar.bz2)= 4121532

MD5(ruby-1.8.7-p22.zip)= 978ac396582a071f8df84913f40612f1
SHA256(ruby-1.8.7-p22.zip)= eb4de293a3e8ec0d4e277a839a5018b8bcebfde06d151cea1fd5cd1ad3631c2f
SIZE(ruby-1.8.7-p22.zip)= 5849764

MD5(ruby-1.8.6-p230.tar.gz)= 5e8247e39be2dc3c1a755579c340857f
SHA256(ruby-1.8.6-p230.tar.gz)= 7f22b603aadc247a513ac72e479609435d7d9b6542a250db2a28a70b77cda7c9
SIZE(ruby-1.8.6-p230.tar.gz)= 4583204

MD5(ruby-1.8.6-p230.tar.bz2)= 3eceb42d4fc56398676c20a49ac7e044
SHA256(ruby-1.8.6-p230.tar.bz2)= 603708301fc3fd7ef1c47bb4a24d7799c26e28db08d69cda240adcbdbff514d7
SIZE(ruby-1.8.6-p230.tar.bz2)= 3948498

MD5(ruby-1.8.6-p230.zip)= 7a392262e2777d352bd4af197916146e
SHA256(ruby-1.8.6-p230.zip)= 311d9a7e97fd8419a8056a4971e957d99dd6a986496119b40731035472e8e8dd
SIZE(ruby-1.8.6-p230.zip)= 5599077

MD5(ruby-1.8.5-p231.tar.gz)= e900cf225d55414bffe878f00a85807c
SHA256(ruby-1.8.5-p231.tar.gz)= 9091ee606c89ebd94b3ced9a6c1bba8e56a8e5807091c14e81798690cb7e76ca
SIZE(ruby-1.8.5-p231.tar.gz)= 4519838

MD5(ruby-1.8.5-p231.tar.bz2)= 327f5aa6573787432222e96195cffd1e
SHA256(ruby-1.8.5-p231.tar.bz2)= b31a8db0a3b538c28bca1c9b08a07eb55a39547fdaad00c045f073851019639c
SIZE(ruby-1.8.5-p231.tar.bz2)= 3890561

MD5(ruby-1.8.5-p231.zip)= 14236e90cd419faa3c51e972485f44f6
SHA256(ruby-1.8.5-p231.zip)= 28e1b6d86720f3932a24fbebbec7fbcb474c494604a909a440689cdf9484e017
SIZE(ruby-1.8.5-p231.zip)= 5527843

 

[Joachim Glauche]

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

Best Regards,
Joachim Glauche

 

[Zhukov Pavel]

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

check patches?

 

[Mike Perham]

The new 1.8.6 release does not appear to work with Rails (2.0.2 in our
case). See several reports of errors or segfaults here:

http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

So a large portion of the Ruby world will remain unpatched until
ruby-core turns another release... :-(

 

[Andreas S.]

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

"Detailed"?

 

[Igal Koshevoy]

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we're in a race with the bad guys to deliver a
solution.

Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?

Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?

Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to help with this effort?

Thank you.

-igal

 

[Brian Brian]

When will the binaries for the latest 1.8.7 patchlevel be available for
Windows users?

Maybe I'm looking in the wrong place, but they aren't here:
ftp://ftp.ruby-lang.org/pub/ruby/binaries/mswin32.

If that is the right place, then is there some reason for the delay in
publishing them?

 

[Thomas Hurst]

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and
RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22,
and 1.9.0-2.

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I've certainly not had any problems with my Rails apps with it.

 

[Igal Koshevoy]

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I've certainly not had any problems with my Rails apps with it.

Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?

If we can create a patch against the official 1.8.6p111 source code, we
can distribute that as a temporary solution until there's an official
fix. That'd be great.

However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
http://www.freshports.org/lang/ruby18/ but can't get it to give me code.
For example, if I scroll down, locate the first change set, click the
misleading MS Notepad icon, scroll down, click on any of the listed
files, scroll down, tell it to do diff, it just returns a zero-length
file. Thoughts?

-igal

 

[Ollivier Robert]

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
http://www.freshports.org/lang/ruby18/ but can't get it to give me code.

Try this instead:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

 

[Igal Koshevoy]

Try this instead:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get
diffs" button is broken and always returns nothing. To get a diff on a
file, one must click the "text" next to the revision number.

FreeBSD's backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) -- but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed Shaw identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.

I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.

-igal

 

[Zhukov Pavel]

http://www.ruby-doc.org/

 

[saurabh purnaye]

[Note: parts of this message were removed to make it a legal post.]

hi Fred,
You can refer to these,
http://www.digitalmediaminute.com/article/1816/top-ruby-on-rails-tutorials
http://www.maxkiesler.com/index.php...e_to_online_tutorials_examples_and_downloads/
http://soylentfoo.jnewland.com/articles/2005/08/05/learning-ruby-on-rails

Guys

I need some tutorial on Ruby. It seems to be very
interesting package. advise what do i do so that i
become an expert? am already good at MS Access,
FrontPage, DreamWeaver and a bit of DotNetNuke.

--
--
Thanks and Regards
Saurabh Purnaye
+91-9922907342
skype: sorab_pune
yahoo & gtalk: saurabh.purnaye
msn: (e-mail address removed)

 

[Hongli Lai]

Hi guys. Igal invited me to join this discussion.

We at Phusion have just released Ruby Enterprise Edition (pardon the
name ;-) 1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes
the relevant security patches backported. Details here:
http://tinyurl.com/5bmgtp

The relevant patch is available at: http://tinyurl.com/5b493c
It's based on the FreeBSD patch set. Thanks FreeBSD.

 

[Igal Koshevoy]

All the relevant changes were in array.cand string.c sources, I've backported both.

According to
http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/ you only
patched sprintf.c and string.c but not array.c, which was specifically
mentioned in the changelog as having a vulnerability. Furthermore, Zed
Shaw mentioned many other files that seemed affected by security fixes
at http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Can you prove that the port is still vulnerable?

No, I only know C well enough to tell that your patch didn't seem to
match up with what was described elsewhere.

It's better to look at the text fields before pressing
the button and claiming it doesn't work - isn't it?

I did. The text fields read "1.1" and "1.2". These fields are wrong, the
first should be something like "1.0" or "initial", and the second should
be "1.1". Setting the first field to "1.0" fails because this is a
forbidden field in your version control system, and version "1.2"
doesn't exist. I see no way to get a diff by clicking the "Get diffs"
button, therefore it doesn't work. Either don't show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn't get confused.

-igal

 

[Igal Koshevoy]

The relevant patch is available at: http://tinyurl.com/5b493c

Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I've seen, but isn't it missing the fixes to things like eval.c, file.c
and bignum.c?

It's based on the FreeBSD patch set.

As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn't seem to. However, I feel
like I don't understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that'd be great.

-igal

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.

 

[Hongli Lai]

Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I've seen, but isn't it missing the fixes to things like eval.c, file.c
and bignum.c?

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

I've made an updated patch set:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

Was file.c vulnerable? I see a number of Windows fixes for file.c, but
it's not immediately clear whether the changes also include security
fixes.

As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn't seem to. However, I feel
like I don't understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that'd be great.

I grabbed the patches from the FreeBSD ports tree. Here's a tarball with
all the patches in FreeBSD's ruby18 port:
http://blog.phusion.nl/assets/freebsd-ruby18-patches.tar.gz

I excluded some irrelevant (i.e. FreeBSD-specific) patches from my patch
set.

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.

Thanks.

 

[Igal Koshevoy]

...

Thanks for the updates.

I also figured out what I was missing with the patch listing at the
FreeBSD site. When I was hitting page down to get to the files, I ended
up only looking at the last four files and jumped to the incorrect
conclusion that the listing was sorted by chronological order, and thus
thought that you only patched two files based on the dates listed.
However, the listing is actually alpha sorted and I can now see that you
patched other files. Sorry for the silly mistake, it's been a long
night.

-igal

 

[Hongli Lai]

So is my patch set now complete, or is there still something missing? I
took a look at eval.c but the changes don't look like security fixes to
me, at first glance.

 

[Igal Koshevoy]

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

The analysis Zed Shaw described in his blog was based on reviewing all
the changes made this month. Although this is more time consuming, it
also seems like the most methodical way of making sure we catch all the
relevant changes.

I've made an updated patch set:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

Excellent, thank you.

Was file.c vulnerable? I see a number of Windows fixes for file.c, but
it's not immediately clear whether the changes also include security
fixes.

If I recall correctly, a blog post (which I can't find at the moment)
suggested that some of this addressed general buffer overflow issues and
Windows-specific traversal attacks. So these may be worth considering.

-igal