[lnkForumImage]
TotalShareware - Download Free Software

Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

[Security] Ruby 1.8.6-pl369 released

Kirk Haines

6/10/2009 5:15:00 AM

We have released Ruby 1.8.6-pl369. This is primarily a security release.

A flaw was found with BigDecimal that could be exploited to cause the
interpreter to segfault because it mishandled certain large input
values. As ActiveRecord uses BigDecimal, this issue could potentially
affect many Rails installations, though this is not a Rails specific
issue. The result is that an attacker could potentially deliver a
denial of service attack to many applications. This vulnerability has
been assigned the CVE name CVE-2009-1904.

This issue affects all Ruby 1.8.6 versions prior to pl369. New
versions can be found at ruby-lang.org:

* ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p...

MD5(ruby-1.8.6-p369.tar.bz2)= c3c1f3dd0dfbd2e17a04e59c2f12cfc8
SHA256(ruby-1.8.6-p369.tar.bz2)=
fb6974ab8a0de52511e846eacf113432b5227a867e3c9741d65775f162e13715
SIZE(ruby-1.8.6-p369.tar.bz2)= 3981771

MD5(ruby-1.8.6-p369.tar.gz)= 8c140ae28b4c3947b92dfad69109d90b
SHA256(ruby-1.8.6-p369.tar.gz)=
edd3707a24dcf53d36a8722fe5addeb0d9077481a272451a9e662374863ba42c
SIZE(ruby-1.8.6-p369.tar.gz)= 4578207

MD5(ruby-1.8.6-p369.zip)= 139d301368533207919befed9ddd92e7
SHA256(ruby-1.8.6-p369.zip)=
fde0c634f98a08ba4c1fb012a22122579f22154134d281ef4e22692a1c1c6ff4
SIZE(ruby-1.8.6-p369.zip)= 5620911


Thank you,

Kirk Haines
Engine Yard
khaines@engineyard.com
irc: wyhaines

3 Answers

Charles O Nutter

6/10/2009 4:16:00 PM

0

On Wed, Jun 10, 2009 at 12:14 AM, Kirk Haines<wyhaines@gmail.com> wrote:
> We have released Ruby 1.8.6-pl369. =C2=A0This is primarily a security rel=
ease.
>
> A flaw was found with BigDecimal that could be exploited to cause the
> interpreter to segfault because it mishandled certain large input
> values. =C2=A0As ActiveRecord uses BigDecimal, this issue could potential=
ly
> affect many Rails installations, though this is not a Rails specific
> issue. =C2=A0The result is that an attacker could potentially deliver a
> denial of service attack to many applications. =C2=A0This vulnerability h=
as
> been assigned the CVE name CVE-2009-1904.

Hmm...so here's my exploration in JRuby:

With a really large BigDecimal:

* to_f runs forever
* to_i runs forever

The latter appears to affect 1.9.1 as well...

=E2=9E=94 ruby19 -rbigdecimal -e "p BigDecimal.new('5E6999999').to_i"
<runs forever>

I have not tested the patched 1.8.6/1.8.7 versions to see if to_i has
this issue.

I'll have fixes for both JRuby issues on master and jruby-1_3 branches shor=
tly.

- Charlie

Urabe Shyouhei

6/10/2009 4:24:00 PM

0

Charles Oliver Nutter wrote:
> On Wed, Jun 10, 2009 at 12:14 AM, Kirk Haines<wyhaines@gmail.com> wrote:
>> We have released Ruby 1.8.6-pl369. This is primarily a security release.
>>
>> A flaw was found with BigDecimal that could be exploited to cause the
>> interpreter to segfault because it mishandled certain large input
>> values. As ActiveRecord uses BigDecimal, this issue could potentially
>> affect many Rails installations, though this is not a Rails specific
>> issue. The result is that an attacker could potentially deliver a
>> denial of service attack to many applications. This vulnerability has
>> been assigned the CVE name CVE-2009-1904.
>
> Hmm...so here's my exploration in JRuby:
>
> With a really large BigDecimal:
>
> * to_f runs forever
> * to_i runs forever
>
> The latter appears to affect 1.9.1 as well...
>
> â?? ruby19 -rbigdecimal -e "p BigDecimal.new('5E6999999').to_i"
> <runs forever>
>
> I have not tested the patched 1.8.6/1.8.7 versions to see if to_i has
> this issue.
>
> I'll have fixes for both JRuby issues on master and jruby-1_3 branches shortly.

Well to_f can shortcut such cases to generate Inf, but to_i should generate
large Bignums, so there may be difficulties to solve to_i slowness for those cases.

Charles O Nutter

6/10/2009 4:28:00 PM

0

On Wed, Jun 10, 2009 at 11:24 AM, Urabe Shyouhei<shyouhei@ruby-lang.org> wr=
ote:
> Charles Oliver Nutter wrote:
>> =E2=9E=94 ruby19 -rbigdecimal -e "p BigDecimal.new('5E6999999').to_i"
>> <runs forever>
>>
>> I have not tested the patched 1.8.6/1.8.7 versions to see if to_i has
>> this issue.
>>
>> I'll have fixes for both JRuby issues on master and jruby-1_3 branches s=
hortly.
>
> Well to_f can shortcut such cases to generate Inf, but to_i should genera=
te
> large Bignums, so there may be difficulties to solve to_i slowness for th=
ose cases.

1.9.1 appears to produce Float::MAX or Float::MIN for exponents
outside float range, not Inf. It seems like the possibility of it
running forever trying to produce an impossibly large Bignum should be
addressed in some similar way.

- Charlie