Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

[Jason Crystal]

Just wanted to say that we all appreciate those fixes you guys have been
able to hack together so quickly, and thanks for your efforts in getting
through to the Ruby maintainers. There are a lot of folks out here
looking to re-stabilize their apps.

Cheers,
-Jason

 

[Marc Heiler]

How do we convince them to respond back to the community in a

timely manner about stuff like this?

Please don't speak for everyone. I personally rather not want to be
grouped to people like Mr. Shaw that use every opportunity to lash out
at something they dislike.

Different use cases will remain different - for me these issues are
simply not important at all, for example. And I don't want to give the
ruby devs the feeling that the "community" as such is an angry mob. I'd
rather see more effort to improve the docu of ruby, API docs as such are
boring and not that helpful, but there are also many examples of people
who went to great length to make their docu usable.

We are individuals with individual opinions, it is only polite to speak
primarily merely for yourself, not for, or in the name of, others.

I however want to say one thing - the original team (or dev) that
reported the security problem(s) should have either described exactly
what the problem was (including giving patches), or simply shut up. This
whole issue is blown out of proportion by being repeated over and over
again.

The way to "handle" security-related problems seems inherently unfair to
people who don't have the time to dig for the patches or find the
problem. And some people did invest their time to find out which patches
were applied, which changes were done etc... etc...

I still dont care about the security-related problems, but to be honest
this would be the only way to handle security related problems in a fair
manner for everyone - by telling what exactly was the problem.

I am quite sure that professional crackers will collect all information
anyway, can glance at patches and changes, and they will have more
knowledge and resources to make any real use of this anyway, no matter
if a problem is kept secret or not. So I do not understand at all why
the original reporter did not reveal the info as well. There is no valid
use case that makes sense for keeping things secret, but loudly
proclaiming that there are problems at the same time.

 

[Igal Koshevoy]

for me these issues are simply not important at all [...] I still dont care about the security-related problems

That's nice. I have companies that depend on me to deliver applications
on a platform they can rely on, so I do care.

Please don't speak for everyone. I personally rather not want to be
grouped to people like Mr. Shaw that use every opportunity to lash out
at something they dislike.

What's this have to do with Zed? Six days ago we were told by the
maintainers that, "Multiple vulnerabilities in Ruby may lead to a denial
of service (DoS) condition or allow execution of arbitrary code." They
still haven't shipped a working fix or said a single word to us
regarding this topic. I've personally posted on every list and every bug
tracker they have, so they couldn't have missed it, and still silence.
I'm disappointed.

In contrast, I was really impressed by how professionally Stanislav,
Hongli and Robert handled the situation and how quickly they delivered
working solutions.

I do not understand at all why the original reporter did not reveal the info as well.

Because that's not the reporter's responsibility. Drew Yao reported the
bug to the maintainers, and Dominique Brezinski claims that he reported
the same problems two years ago but was ignored. Taking action on
reports and dealing with public relations is the responsibility of the
official maintainers, not the reporter.

-igal

 

[M. Edward (Ed) Borasky]

for me these issues are simply not important at all [...] I still dont
care about the security-related problems

That's nice. I have companies that depend on me to deliver applications
on a platform they can rely on, so I do care.

Please don't speak for everyone. I personally rather not want to be
grouped to people like Mr. Shaw that use every opportunity to lash out
at something they dislike.

What's this have to do with Zed? Six days ago we were told by the
maintainers that, "Multiple vulnerabilities in Ruby may lead to a denial
of service (DoS) condition or allow execution of arbitrary code." They
still haven't shipped a working fix or said a single word to us
regarding this topic. I've personally posted on every list and every bug
tracker they have, so they couldn't have missed it, and still silence.
I'm disappointed.

In contrast, I was really impressed by how professionally Stanislav,
Hongli and Robert handled the situation and how quickly they delivered
working solutions.

I do not understand at all why the original reporter did not reveal
the info as well.

Because that's not the reporter's responsibility. Drew Yao reported the
bug to the maintainers, and Dominique Brezinski claims that he reported
the same problems two years ago but was ignored. Taking action on
reports and dealing with public relations is the responsibility of the
official maintainers, not the reporter.

-igal

http://www.retrospectives.com/pages/retroPrimeDirective.html

 

[Igal Koshevoy]

http://www.retrospectives.com/pages/retroPrimeDirective.html

Thanks for the reminder.

To put my earlier comments in perspective. I really enjoy working with
Ruby, work hard to promote it, publish multiple open source projects
with it, and want it to succeed.

-igal

 

[Larry Rosenman]

Has anyone ported this "fix patch" to 1.8.5-p231? I get patch errors
using this one.

 

[Igal Koshevoy]

Has anyone ported this "fix patch" to 1.8.5-p231? I get patch errors
using this one.

I haven't heard of any such effort.

Do you have a compelling reason to stay with 1.8.5? If you do, you may
be able to use the Smartleaf 1.8.6 patch for p230 as a guide. It
basically reverts one bad commit, so if you can just walk through the
commits in the 1.8.5 SVN branch till you find a conceptually similar
commit, you can try reverting it.

-igal

 

[Larry Rosenman]

I haven't heard of any such effort.

Do you have a compelling reason to stay with 1.8.5? If you do, you may
be able to use the Smartleaf 1.8.6 patch for p230 as a guide. It
basically reverts one bad commit, so if you can just walk through the
commits in the 1.8.5 SVN branch till you find a conceptually similar
commit, you can try reverting it.

-igal

We have one RoR app that is basically unmaintained. I'll see if it'll
work with 1.8.6 and this patch.

Thanks!

 

[Igal Koshevoy]

We have one RoR app that is basically unmaintained. I'll see if it'll
work with 1.8.6 and this patch.

I've personally confirmed that both the Stanislav Sedov and Hongli Lai's
1.8.6p111 backport and the Smartleaf 1.8.6p230 revert patches both pass
the Rails 2.0 test suites, so you should be fine. Another alternative is
the Phusion Ruby Enterprise Edition, which uses the p111 backport.

The only thing I can remember being different between 1.8.5 and 1.8.6 is
that the breakpointer feature stopped working, so if you ever need that
feature, just use ruby-debug instead.

-igal

 

[Larry Rosenman]

We have one RoR app that is basically unmaintained. I'll see if it'll
work with 1.8.6 and this patch.

Thanks!

1.8.6-p230 + http://dev.smartleaf.com/misc/p230_fixit_patch.txt
seems to not segfault or give me glibc corruption errors, and the app
works, so I am going to deploy it.

Thanks for the push, and especially the patch.

LER

 

[François Montel]

Has anyone tried the latest 1.8.6. releases p231 through p236 to see if
they have the same problems with Rails as the p230 release does?

 

[Mike Berrow]

I've been watching http://redmine.ruby-lang.org/issues/show/199
but there hasn't been a peep from the powers that be.

They seem to be maintaining "radio silence".
Why might that be?

-- Mike Berrow

 

[Igal Koshevoy]

Good Urabe Shyouhei responded and fixed the segmentation faults in
his latest SVN release, see the ruby-core thread at
http://www.ruby-forum.com/topic/157392#695343

Bad The new version in SVN is failing dozens of tests that worked
fine in p111. This is bad because any apps that depend on that old
behavior will break. If you have time, please grab the files from
[http://redmine.ruby-lang.org/issues/show/199] and see if you can figure
out what's going on.

Thanks!

-igal

PS: I've sent email to Brian Ford, the primary author of RubySpec to see
if he can lend a hand in making sense of the errors. Maybe in the
process we can also submit some code to RubySpec to improve its
coverage.

 

[Cheri Anaclerio]

Could somebody please explain how to apply the Smartleaf Stanislav and
Hongli's patches? I too am experiencing glibc segmentation problems and
would like to fix my local copy of rails 1.8.6.

Thanks!

Cheri

 

[Jason Crystal]

Could somebody please explain how to apply the Smartleaf Stanislav and
Hongli's patches? I too am experiencing glibc segmentation problems and
would like to fix my local copy of rails 1.8.6.

Thanks!

Cheri

1. Download the 1.8.6p230 source here:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

2. Download the patch here (and and stick it in the ruby-1.8.6-p230
source directory): http://dev.smartleaf.com/misc/p230_fixit_patch.txt

3. In your terminal:
$ cd ruby-1.8.6-p230
$ patch < ./p230_fixit_patch.txt

4. Then compile per usual. Ex:
$ ./configure
$ make
$ sudo make install

 

[Igal Koshevoy]

4. Then compile per usual. Ex:
$ ./configure
$ make
$ sudo make install

Jason, thanks for the explanation. However, I'd argue against that last
step. Doing step 4 like that will put the files directly into the user's
/usr/local hierarchy, which will make removing or upgrading that versino
difficult.

I'd strongly recommend that you use GNU Stow
[http://www.gnu.org/software/stow/manual.html] and change the steps to:

$ ./configure --prefix=/usr/local/stow/ruby-1.8.6p230smartleaf
$ make
$ sudo mkdir -p /usr/local/stow
$ sudo make install
$ sudo stow -d /usr/local/stow ruby-1.8.6p230smartleaf

With those commands, you'll end up with a symlink at /usr/local/bin/ruby
that points to the installed version deeper within the /usr/local/stow
hierarchy.

Using stow will let you easily install, uninstall and switch between
versions of a compiled applications.

-igal

PS: Another good alternative is to use Ruby Enterprise Edition
[http://rubyenterpriseedition.com/] which already includes the patches
and installs itself by default into directory within /opt.

 

[Jason Crystal]

Jason, thanks for the explanation. However, I'd argue against that last

step. Doing step 4 like that will put the files directly into the user's
/usr/local hierarchy, which will make removing or upgrading that versino
difficult.

I'd strongly recommend that you use GNU Stow

Igal,

Good call with that. I just wanted to demonstrate to Cheri that at that
point in the steps, you can do anything you'd normally do with a
functional Ruby source.

Thanks for the additional info!

-Jason

 

[Cheri Anaclerio]

Ok, I took the stow route and followed the steps below. However, now
when I start the webrick server, Rubygems 0.9.4.1 can't be found even
though it is installed. Looks like the directory I'm pointing to
doesn't know anything about Rubygems. What can I do to fix this?
Thanks! Cheri

(See full trace by running task with --trace)
Rails requires RubyGems >= 0.9.4. Please install RubyGems and try again:
http://rubygems.rubyforge.org
[root@localhost cz]# yum install rubygems
fedora 100% |=========================| 2.1 kB
00:00
updates 100% |=========================| 2.3 kB
00:00
adobe-linux-i386 100% |=========================| 951 B
00:00
Setting up Install Process
Parsing package install arguments
Package rubygems - 0.9.4-1.fc8.noarch is already installed.
Nothing to do
[root@localhost cz]#

I'd strongly recommend that you use GNU Stow
[http://www.gnu.org/software/stow/manual.html] and change the steps to:

$ ./configure --prefix=/usr/local/stow/ruby-1.8.6p230smartleaf
$ make
$ sudo mkdir -p /usr/local/stow
$ sudo make install
$ sudo stow -d /usr/local/stow ruby-1.8.6p230smartleaf

With those commands, you'll end up with a symlink at /usr/local/bin/ruby
that points to the installed version deeper within the /usr/local/stow
hierarchy.

Using stow will let you easily install, uninstall and switch between
versions of a compiled applications.

-igal

PS: Another good alternative is to use Ruby Enterprise Edition
[http://rubyenterpriseedition.com/] which already includes the patches
and installs itself by default into directory within /opt.

 

[Igal Koshevoy]

Ok, I took the stow route and followed the steps below. However, now
when I start the webrick server, Rubygems 0.9.4.1 can't be found even
though it is installed. Looks like the directory I'm pointing to
doesn't know anything about Rubygems. What can I do to fix this?
Thanks! Cheri

(See full trace by running task with --trace)
Rails requires RubyGems >= 0.9.4. Please install RubyGems and try again:
http://rubygems.rubyforge.org
[root@localhost cz]# yum install rubygems

The problem is that the copy of RubyGems installed via Yum
(/usr/bin/gem) is using your old interpreter (/usr/bin/ruby) and knows
nothing about your new manually-compiled interpreter (/usr/local/bin/ruby).

The solution is to install RubyGems for the new interpreter, e.g.:

wget http://rubyforge.org/frs/download.php/38646/rubygems-1.2.0.tgz
tar xvfz rubygems-1.2.0.tgz
cd rubygems-1.2.0
sudo /usr/local/bin/ruby setup.rb --no-ri --no-rdoc
sudo /usr/local/bin/gem install rake --no-ri --no-rdoc

Because the above changes the stowed directory structure, you'll want to
restow it so that the new files are linked into /usr/local, e.g.:

pushd /usr/local/stow; sudo stow --restow ruby-1.8.6p230smartleaf; popd

There's a way to make multiple Ruby interpreters share a copy of the
installed gems by setting the GEM_HOME environmental variable. However,
this seems like a bad idea and you're best off just installing new
copies of the gems you need.

-igal

 

[Cheri Anaclerio]

Thanks, Igal! So when I want to go back to using /usr/bin/ruby and it's
associated gems, would I just delete the stow directory

$ sudo stow -d /usr/local/stow ruby-1.8.6p230smartleaf

I am contemplating the solution of just upgrading to Ruby 1.8.7 and
Rails 2.1 since my project is still in development. However, from
reading the forums it looks like there are many plugins that won't work
with Rails 2.1 and other issues that still need to be resolved. Any
thoughts on the upgrade route?

- Cheri