Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/200...ulnerabilities

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.9....9.0-2.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.9...1.9.0-2.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8....7-p22.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8...8.7-p22.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8...6-p230.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8....6-p230.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8...1.8.6-p230.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8...5-p231.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8....5-p231.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8...1.8.5-p231.zip


And checksums:
MD5(ruby-1.8.7-p22.tar.gz)= fc3ede83a98f48d8cb6de2145f680ef2
SHA256(ruby-1.8.7-p22.tar.gz)= d2e4e6a9f170066846304797d39e8f388edb06206b40c9ef5e c2d657ff22c072
SIZE(ruby-1.8.7-p22.tar.gz)= 4799242

MD5(ruby-1.8.7-p22.tar.bz2)= 2d57acee0d80531e14ec0f6826a1f9fb
SHA256(ruby-1.8.7-p22.tar.bz2)= 477968408e27d067ef56f552d7fc2a9e6f5cae2d1a72f17cd8 38ebf5e0d30149
SIZE(ruby-1.8.7-p22.tar.bz2)= 4121532

MD5(ruby-1.8.7-p22.zip)= 978ac396582a071f8df84913f40612f1
SHA256(ruby-1.8.7-p22.zip)= eb4de293a3e8ec0d4e277a839a5018b8bcebfde06d151cea1f d5cd1ad3631c2f
SIZE(ruby-1.8.7-p22.zip)= 5849764

MD5(ruby-1.8.6-p230.tar.gz)= 5e8247e39be2dc3c1a755579c340857f
SHA256(ruby-1.8.6-p230.tar.gz)= 7f22b603aadc247a513ac72e479609435d7d9b6542a250db2a 28a70b77cda7c9
SIZE(ruby-1.8.6-p230.tar.gz)= 4583204

MD5(ruby-1.8.6-p230.tar.bz2)= 3eceb42d4fc56398676c20a49ac7e044
SHA256(ruby-1.8.6-p230.tar.bz2)= 603708301fc3fd7ef1c47bb4a24d7799c26e28db08d69cda24 0adcbdbff514d7
SIZE(ruby-1.8.6-p230.tar.bz2)= 3948498

MD5(ruby-1.8.6-p230.zip)= 7a392262e2777d352bd4af197916146e
SHA256(ruby-1.8.6-p230.zip)= 311d9a7e97fd8419a8056a4971e957d99dd6a986496119b407 31035472e8e8dd
SIZE(ruby-1.8.6-p230.zip)= 5599077

MD5(ruby-1.8.5-p231.tar.gz)= e900cf225d55414bffe878f00a85807c
SHA256(ruby-1.8.5-p231.tar.gz)= 9091ee606c89ebd94b3ced9a6c1bba8e56a8e5807091c14e81 798690cb7e76ca
SIZE(ruby-1.8.5-p231.tar.gz)= 4519838

MD5(ruby-1.8.5-p231.tar.bz2)= 327f5aa6573787432222e96195cffd1e
SHA256(ruby-1.8.5-p231.tar.bz2)= b31a8db0a3b538c28bca1c9b08a07eb55a39547fdaad00c045 f073851019639c
SIZE(ruby-1.8.5-p231.tar.bz2)= 3890561

MD5(ruby-1.8.5-p231.zip)= 14236e90cd419faa3c51e972485f44f6
SHA256(ruby-1.8.5-p231.zip)= 28e1b6d86720f3932a24fbebbec7fbcb474c494604a909a440 689cdf9484e017
SIZE(ruby-1.8.5-p231.zip)= 5527843

Urabe Shyouhei wrote:
> Hi all.
>
> Some vulnerabilities were found on Ruby, one of which allow attackers to
> execute arbitrary codes. These are releases to fix those problems.
>
> Detailed information should be found at:
> http://www.ruby-lang.org/en/news/200...ulnerabilities

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

Best Regards,
Joachim Glauche
--
Posted via http://www.ruby-forum.com/.

On Sat, Jun 21, 2008 at 4:47 PM, Joachim Glauche <jg@connection-net.de> wrote:
> Urabe Shyouhei wrote:
>> Hi all.
>>
>> Some vulnerabilities were found on Ruby, one of which allow attackers to
>> execute arbitrary codes. These are releases to fix those problems.
>>
>> Detailed information should be found at:
>> http://www.ruby-lang.org/en/news/200...ulnerabilities
>
> Any chance to get more detailed information about the security
> vulnerabilities?
>
> How severe is it? Which calls, libraries are involved?

check patches?

> Best Regards,
> Joachim Glauche
> --
> Posted via http://www.ruby-forum.com/.
>
>

The new 1.8.6 release does not appear to work with Rails (2.0.2 in our
case). See several reports of errors or segfaults here:

http://weblog.rubyonrails.com/2008/6...ulnerabilities

So a large portion of the Ruby world will remain unpatched until
ruby-core turns another release... :-(
--
Posted via http://www.ruby-forum.com/.

Urabe Shyouhei wrote:
> Some vulnerabilities were found on Ruby, one of which allow attackers to
> execute arbitrary codes. These are releases to fix those problems.
>
> Also note this is the last official release of ruby 1.8.5. No support
> are provided for it by us any longer.
>
> Detailed information should be found at:
> http://www.ruby-lang.org/en/news/200...ulnerabilities

"Detailed"?
--
Posted via http://www.ruby-forum.com/.

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we're in a race with the bad guys to deliver a
solution.

Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?

Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?

Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to with this effort?

Thank you.

-igal
--
Posted via http://www.ruby-forum.com/.

When will the binaries for the latest 1.8.7 patchlevel be available for
Windows users?

Maybe I'm looking in the wrong place, but they aren't here:
ftp://ftp.ruby-lang.org/pub/ruby/binaries/mswin32.

If that is the right place, then is there some reason for the delay in
publishing them?
--
Posted via http://www.ruby-forum.com/.

* Igal Koshevoy (igal@pragmaticraft.com) wrote:

> All versions of MRI Ruby that claim to fix the vulnerabilities are
> either failing with segmentation faults or change the API in ways that
> make it impossible to run vital libraries such as Rails 2.0.x and
> RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22,
> and 1.9.0-2.

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I've certainly not had any problems with my Rails apps with it.

--
Thomas 'Freaky' Hurst
http://hur.st/

Thomas Hurst wrote:
> FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
> those? I've certainly not had any problems with my Rails apps with it.

Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?

If we can create a patch against the official 1.8.6p111 source code, we
can distribute that as a temporary solution until there's an official
fix. That'd be great.

However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
http://www.freshports.org/lang/ruby18/ but can't get it to give me code.
For example, if I scroll down, locate the first change set, click the
misleading MS Notepad icon, scroll down, click on any of the listed
files, scroll down, tell it to do diff, it just returns a zero-length
file. Thoughts?

-igal
--
Posted via http://www.ruby-forum.com/.

In article <b4734d2c636e7e0cabf04a53be206ebc@ruby-forum.com>,
Igal Koshevoy <igal@pragmaticraft.com> wrote:
>Can you or someone more familiar with FreeBSD explain how to get the
>diff for their patches so someone can start building a backport patch
>based on theirs? I found the FreeBSD page that refers to these at
>http://www.freshports.org/lang/ruby18/ but can't get it to give me code.

Try this instead:
http://www.freebsd.org/cgi/cvsweb.cg.../ruby18/files/

--
Ollivier ROBERT -=- EEC/RIF/SEU -=-
Systems Engineering Unit

Ollivier Robert wrote:
> Try this instead:
> http://www.freebsd.org/cgi/cvsweb.cg.../ruby18/files/

Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get
diffs" button is broken and always returns nothing. To get a diff on a
file, one must click the "text" next to the revision number.

FreeBSD's backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) -- but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed Shaw identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big...abilities.html

So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.

I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.

-igal
--
Posted via http://www.ruby-forum.com/.

http://www.ruby-doc.org/

On Mon, Jun 23, 2008 at 3:30 PM, Fred Chingota <fredchingota@yahoo.com> wrote:
> Guys
>
> I need some tutorial on Ruby. It seems to be very
> interesting package. advise what do i do so that i
> become an expert? am already good at MS Access,
> FrontPage, DreamWeaver and a bit of DotNetNuke.
>
>
>
>
>

[Note: parts of this message were removed to make it a legal post.]

hi Fred,
You can refer to these,
http://www.digitalmediaminute.com/ar...ails-tutorials
http://www.maxkiesler.com/index.php/...and_downloads/
http://soylentfoo.jnewland.com/artic...-ruby-on-rails


On Mon, Jun 23, 2008 at 4:59 PM, Fred Chingota <fredchingota@yahoo.com>
wrote:

> Guys
>
> I need some tutorial on Ruby. It seems to be very
> interesting package. advise what do i do so that i
> become an expert? am already good at MS Access,
> FrontPage, DreamWeaver and a bit of DotNetNuke.
>
>
>
>
>


--
--
Thanks and Regards
Saurabh Purnaye
+91-9922907342
skype: sorab_pune
yahoo & gtalk: saurabh.purnaye
msn: psaurabh@live.com

Hi guys. Igal invited me to join this discussion.

We at Phusion have just released Ruby Enterprise Edition (pardon the
name ;-) 1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes
the relevant security patches backported. Details here:
http://tinyurl.com/5bmgtp

The relevant patch is available at: http://tinyurl.com/5b493c
It's based on the FreeBSD patch set. Thanks FreeBSD.
--
Posted via http://www.ruby-forum.com/.

Stanislav Sedov wrote:
> All the relevant changes were in array.cand string.c sources, I've backported both.
According to
http://www.freebsd.org/cgi/cvsweb.cg.../ruby18/files/ you only
patched sprintf.c and string.c but not array.c, which was specifically
mentioned in the changelog as having a vulnerability. Furthermore, Zed
Shaw mentioned many other files that seemed affected by security fixes
at http://www.zedshaw.com/rants/the_big...abilities.html

> Can you prove that the port is still vulnerable?
No, I only know C well enough to tell that your patch didn't seem to
match up with what was described elsewhere.

> It's better to look at the text fields before pressing
> the button and claiming it doesn't work - isn't it?
I did. The text fields read "1.1" and "1.2". These fields are wrong, the
first should be something like "1.0" or "initial", and the second should
be "1.1". Setting the first field to "1.0" fails because this is a
forbidden field in your version control system, and version "1.2"
doesn't exist. I see no way to get a diff by clicking the "Get diffs"
button, therefore it doesn't work. Either don't show the button for
newly imported files, or provide sensible behavior, like displaying the
initial version so that the user doesn't get confused.

-igal
--
Posted via http://www.ruby-forum.com/.

Hongli Lai wrote:
> The relevant patch is available at: http://tinyurl.com/5b493c
Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I've seen, but isn't it missing the fixes to things like eval.c, file.c
and bignum.c?

> It's based on the FreeBSD patch set.
As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn't seem to. However, I feel
like I don't understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that'd be great.

-igal

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.
--
Posted via http://www.ruby-forum.com/.

Igal Koshevoy wrote:
> Thanks for the quick response and for publishing the patch. However, are
> you sure you got all the files? Your patch is the most comprehensive
> I've seen, but isn't it missing the fixes to things like eval.c, file.c
> and bignum.c?

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

I've made an updated patch set:
http://blog.phusion.nl/assets/r8ee-s...20080623-2.txt

Was file.c vulnerable? I see a number of Windows fixes for file.c, but
it's not immediately clear whether the changes also include security
fixes.


> As far as I can tell, you and Stas at FreeBSD were patching different
> files. E.g., you patched io.c, while he didn't seem to. However, I feel
> like I don't understand how to use the FreeBSD website because I can
> only see find his patches to string.c and sprintf.c, but none of the
> others, so if someone can explain how to find the rest, that'd be great.

I grabbed the patches from the FreeBSD ports tree. Here's a tarball with
all the patches in FreeBSD's ruby18 port:
http://blog.phusion.nl/assets/freebs...patches.tar.gz

I excluded some irrelevant (i.e. FreeBSD-specific) patches from my patch
set.

> PS: And many thanks for the awesome work on Phusion Passenger and Ruby
> EE.

Thanks.
--
Posted via http://www.ruby-forum.com/.

Stanislav Sedov wrote:
> ...
Thanks for the updates.

I also figured out what I was missing with the patch listing at the
FreeBSD site. When I was hitting page down to get to the files, I ended
up only looking at the last four files and jumped to the incorrect
conclusion that the listing was sorted by chronological order, and thus
thought that you only patched two files based on the dates listed.
However, the listing is actually alpha sorted and I can now see that you
patched other files. Sorry for the silly mistake, it's been a long
night.

-igal
--
Posted via http://www.ruby-forum.com/.

So is my patch set now complete, or is there still something missing? I
took a look at eval.c but the changes don't look like security fixes to
me, at first glance.
--
Posted via http://www.ruby-forum.com/.

Hongli Lai wrote:
> Now that you mention it, Keita Yamaguchi sent me an eval.c security
> patch a while back. Upon closer inspection it seems that this patch is
> not included in the FreeBSD patch set, and neither is bignum.c.
The analysis Zed Shaw described in his blog was based on reviewing all
the changes made this month. Although this is more time consuming, it
also seems like the most methodical way of making sure we catch all the
relevant changes.

> I've made an updated patch set:
> http://blog.phusion.nl/assets/r8ee-s...20080623-2.txt
Excellent, thank you.

> Was file.c vulnerable? I see a number of Windows fixes for file.c, but
> it's not immediately clear whether the changes also include security
> fixes.
If I recall correctly, a blog post (which I can't find at the moment)
suggested that some of this addressed general buffer overflow issues and
Windows-specific traversal attacks. So these may be worth considering.

-igal
--
Posted via http://www.ruby-forum.com/.

* Igal Koshevoy (igal@pragmaticraft.com) wrote:

> Thomas Hurst wrote:
> > FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
> > those? I've certainly not had any problems with my Rails apps with it.
>
> Thanks for the information, Thomas. Could you or someone else with
> FreeBSD, as a favor, run the Rails and RSpec test suites with this new
> version to determine how well these modified versions work?

rspec runs fine, though I needed to modify a regexp to work with my
Oniguruma patched install (an option of the FreeBSD port).

The Rails test suite mostly works; few failures wrt timezone support,
and a couple of odd ActiveRecord ones with sanitizing LIMIT
(add_limit_offset_should_sanitize_sql_injection_fo r_limit...), but
these could also be Oniguruma related.

> However, does anyone know how the FreeBSD maintainers figured out what
> to backport and what not to?

Well, you just follow the SVN history and cherry-pick the relevent
commits?

--
Thomas 'Freaky' Hurst
http://hur.st/

Thomas Hurst wrote:
> rspec runs fine, though I needed to modify a regexp to work with my
> Oniguruma patched install (an option of the FreeBSD port).
>
> The Rails test suite mostly works; few failures wrt timezone support,
> and a couple of odd ActiveRecord ones with sanitizing LIMIT
> (add_limit_offset_should_sanitize_sql_injection_fo r_limit...), but
> these could also be Oniguruma related.
Thanks for the update.

>> However, does anyone know how the FreeBSD maintainers figured out what
>> to backport and what not to?
> Well, you just follow the SVN history and cherry-pick the relevent
> commits?
The intent of my question was to get information so we could evaluate
their selection process, and thus determine whether that process would
effectively included the applicable changes.

We're currently depending on the assumption that one person cherry
picked all the right commits, and we've already identified at least one
potential error from that process. I'm sure that Stanislav Sedov did a
fine job, but I'd like to see someone else do a second, independent pass
through the history to double-check. I wouldn't trust myself to do
something this important on my own in a single pass, so this is in no
way a criticism.

Would anyone like to volunteer?

-igal
--
Posted via http://www.ruby-forum.com/.

It's great watching this come together. Thanks to Stanislav and Hongli's
code, and assistance from the rest of you, I think we're getting close
to having a reasonable unofficial patch ready.

I've contacted the following groups and asked them to join the
discussion, and you've already seen some of them join in:
- Ruby Core
- Ruby on Rails blog
- Ruby on Rails core
- RubyInside blog
- Phusion blog
- FreeBSD Ruby maintainer
- Debian Ruby maintainers
- Fedora maintainers
- Portland Ruby Brigade :p

Are there any other persons or groups that can lend a hand that should
be contacted?

If you can think anyone, please ask them to join the ruby-talk mailing
list or use the online thread at http://www.ruby-forum.com/topic/157034

Thanks!

-igal
--
Posted via http://www.ruby-forum.com/.

Does anybody have access to the CVE details? Selecting patches based on
the CVEs should be easier than guessing based on patches.
--
Posted via http://www.ruby-forum.com/.

Igal Koshevoy wrote:
> All versions of MRI Ruby that claim to fix the vulnerabilities are
> either failing with segmentation faults or change the API in ways that
> make it impossible to run vital libraries such as Rails 2.0.x and RSpec.

It looks like a fix for the segmentation faults was committed on 21 June
(revision 17530 in the ruby_1_8 branch):

http://svn.ruby-lang.org/cgi-bin/vie...revision=17530

Note that this change is only in the ruby_1_8 branch. It hasn't been
applied to the separate branches for 1.8.5, 1.8.6 and 1.8.7.

I've applied the change to 1.8.6-p230 and I'm no longer getting the
segmentation faults in my Rails app. I haven't tested the change with
1.8.5 or 1.8.7.

The patch I applied to 1.8.6-p230 is available at:

http://files.philross.co.uk/ruby/rub...p230-fix.patch

This just consists of revision 17530 with the change to ChangeLog
adjusted to apply cleanly.

--
Phil Ross
http://tzinfo.rubyforge.org/ -- DST-aware timezone library for Ruby