Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.zip

And checksums:
MD5(ruby-1.8.7-p22.tar.gz)= fc3ede83a98f48d8cb6de2145f680ef2
SHA256(ruby-1.8.7-p22.tar.gz)= d2e4e6a9f170066846304797d39e8f388edb06206b40c9ef5ec2d657ff22c072
SIZE(ruby-1.8.7-p22.tar.gz)= 4799242

MD5(ruby-1.8.7-p22.tar.bz2)= 2d57acee0d80531e14ec0f6826a1f9fb
SHA256(ruby-1.8.7-p22.tar.bz2)= 477968408e27d067ef56f552d7fc2a9e6f5cae2d1a72f17cd838ebf5e0d30149
SIZE(ruby-1.8.7-p22.tar.bz2)= 4121532

MD5(ruby-1.8.7-p22.zip)= 978ac396582a071f8df84913f40612f1
SHA256(ruby-1.8.7-p22.zip)= eb4de293a3e8ec0d4e277a839a5018b8bcebfde06d151cea1fd5cd1ad3631c2f
SIZE(ruby-1.8.7-p22.zip)= 5849764

MD5(ruby-1.8.6-p230.tar.gz)= 5e8247e39be2dc3c1a755579c340857f
SHA256(ruby-1.8.6-p230.tar.gz)= 7f22b603aadc247a513ac72e479609435d7d9b6542a250db2a28a70b77cda7c9
SIZE(ruby-1.8.6-p230.tar.gz)= 4583204

MD5(ruby-1.8.6-p230.tar.bz2)= 3eceb42d4fc56398676c20a49ac7e044
SHA256(ruby-1.8.6-p230.tar.bz2)= 603708301fc3fd7ef1c47bb4a24d7799c26e28db08d69cda240adcbdbff514d7
SIZE(ruby-1.8.6-p230.tar.bz2)= 3948498

MD5(ruby-1.8.6-p230.zip)= 7a392262e2777d352bd4af197916146e
SHA256(ruby-1.8.6-p230.zip)= 311d9a7e97fd8419a8056a4971e957d99dd6a986496119b40731035472e8e8dd
SIZE(ruby-1.8.6-p230.zip)= 5599077

MD5(ruby-1.8.5-p231.tar.gz)= e900cf225d55414bffe878f00a85807c
SHA256(ruby-1.8.5-p231.tar.gz)= 9091ee606c89ebd94b3ced9a6c1bba8e56a8e5807091c14e81798690cb7e76ca
SIZE(ruby-1.8.5-p231.tar.gz)= 4519838

MD5(ruby-1.8.5-p231.tar.bz2)= 327f5aa6573787432222e96195cffd1e
SHA256(ruby-1.8.5-p231.tar.bz2)= b31a8db0a3b538c28bca1c9b08a07eb55a39547fdaad00c045f073851019639c
SIZE(ruby-1.8.5-p231.tar.bz2)= 3890561

MD5(ruby-1.8.5-p231.zip)= 14236e90cd419faa3c51e972485f44f6
SHA256(ruby-1.8.5-p231.zip)= 28e1b6d86720f3932a24fbebbec7fbcb474c494604a909a440689cdf9484e017
SIZE(ruby-1.8.5-p231.zip)= 5527843

Urabe Shyouhei wrote:

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Detailed information should be found at:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

Best Regards,
   Joachim Glauche

Urabe Shyouhei wrote:

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Also note this is the last official release of ruby 1.8.5. No support
are provided for it by us any longer.

Detailed information should be found at:
Arbitrary code execution vulnerabilities

"Detailed"?

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we're in a race with the bad guys to deliver a
solution.

Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?

Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?

Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to help with this effort?

Thank you.

-igal

When will the binaries for the latest 1.8.7 patchlevel be available for
Windows users?

Maybe I'm looking in the wrong place, but they aren't here:
ftp://ftp.ruby-lang.org/pub/ruby/binaries/mswin32.

If that is the right place, then is there some reason for the delay in
publishing them?

Hi guys. Igal invited me to join this discussion.

We at Phusion have just released Ruby Enterprise Edition (pardon the
name 1.8.6-20080623, which is based on Ruby 1.8.6-p111, and includes
the relevant security patches backported. Details here:

The relevant patch is available at: http://tinyurl.com/5b493c
It's based on the FreeBSD patch set. Thanks FreeBSD.

Urabe Shyouhei wrote:

Hi all.

Some vulnerabilities were found on Ruby, one of which allow attackers to
execute arbitrary codes. These are releases to fix those problems.

Detailed information should be found at:
Arbitrary code execution vulnerabilities

Any chance to get more detailed information about the security
vulnerabilities?

How severe is it? Which calls, libraries are involved?

check patches?

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I've certainly not had any problems with my Rails apps with it.

Hongli Lai wrote:

The relevant patch is available at: http://tinyurl.com/5b493c

Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I've seen, but isn't it missing the fixes to things like eval.c, file.c
and bignum.c?

It's based on the FreeBSD patch set.

As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn't seem to. However, I feel
like I don't understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that'd be great.

-igal

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.

Igal Koshevoy wrote:

All versions of MRI Ruby that claim to fix the vulnerabilities are either failing with segmentation faults or change the API in ways that make it impossible to run vital libraries such as Rails 2.0.x and RSpec.

It looks like a fix for the segmentation faults was committed on 21 June (revision 17530 in the ruby_1_8 branch):

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17530

Note that this change is only in the ruby_1_8 branch. It hasn't been applied to the separate branches for 1.8.5, 1.8.6 and 1.8.7.

I've applied the change to 1.8.6-p230 and I'm no longer getting the segmentation faults in my Rails app. I haven't tested the change with 1.8.5 or 1.8.7.

The patch I applied to 1.8.6-p230 is available at:

http://files.philross.co.uk/ruby/ruby-1.8.6-p230-fix.patch

This just consists of revision 17530 with the change to ChangeLog adjusted to apply cleanly.

Igal Koshevoy wrote:

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2.

FWIW, I managed to get 1.8.6p230 all the way through a Rails 2.0
app test suite without segfaults or glibc "corrupted memory"
complaints with the patch here:

  http://dev.smartleaf.com/misc/p230_fixit_patch.txt

This reverts changeset 17222 from the ruby_1_8_6 branch of the
main svn repository, which doesn't *look* security-related, at
least at first blush (though it may be a failed backport from
another line of development).

As always, your milage may vary --- but I'm hoping this helps
someone with more detailed knowledge of MRI innards figure out
what's going on.

Robert Thau
rst AT {ai,alum}.mit.edu

The new 1.8.6 release does not appear to work with Rails (2.0.2 in our
case). See several reports of errors or segfaults here:

So a large portion of the Ruby world will remain unpatched until
ruby-core turns another release...

Thomas Hurst wrote:

FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
those? I've certainly not had any problems with my Rails apps with it.

Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?

If we can create a patch against the official 1.8.6p111 source code, we
can distribute that as a temporary solution until there's an official
fix. That'd be great.

However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?

Can you or someone more familiar with FreeBSD explain how to get the
diff for their patches so someone can start building a backport patch
based on theirs? I found the FreeBSD page that refers to these at
FreshPorts -- lang/ruby18: An object-oriented interpreted scripting language but can't get it to give me code.
For example, if I scroll down, locate the first change set, click the
misleading MS Notepad icon, scroll down, click on any of the listed
files, scroll down, tell it to do diff, it just returns a zero-length
file. Thoughts?

-igal

Igal Koshevoy wrote:

Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I've seen, but isn't it missing the fixes to things like eval.c, file.c
and bignum.c?

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

I've made an updated patch set:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

Was file.c vulnerable? I see a number of Windows fixes for file.c, but
it's not immediately clear whether the changes also include security
fixes.

As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn't seem to. However, I feel
like I don't understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that'd be great.

I grabbed the patches from the FreeBSD ports tree. Here's a tarball with
all the patches in FreeBSD's ruby18 port:
http://blog.phusion.nl/assets/freebsd-ruby18-patches.tar.gz

I excluded some irrelevant (i.e. FreeBSD-specific) patches from my patch
set.

PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.

Thanks.

Phil Ross wrote:

It looks like a fix for the segmentation faults was committed on 21 June
(revision 17530 in the ruby_1_8 branch):

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17530

Note that this change is only in the ruby_1_8 branch. It hasn't been
applied to the separate branches for 1.8.5, 1.8.6 and 1.8.7.

I've applied the change to 1.8.6-p230 and I'm no longer getting the
segmentation faults in my Rails app. I haven't tested the change with
1.8.5 or 1.8.7.

The patch I applied to 1.8.6-p230 is available at:

http://files.philross.co.uk/ruby/ruby-1.8.6-p230-fix.patch

This just consists of revision 17530 with the change to ChangeLog
adjusted to apply cleanly.

Phil, thanks for posting the link and patch.

Unfortunately, this patched version fails with segmentation faults when
applied to 1.8.6-p230 and run against RSpec 1.1.4's test suite:

  lib/spec/example/example_group_methods.rb:384: [BUG] Segmentation
fault

The 1.8.6-p111 version doesn't segfault.

Therefore, please consider another solution.

-igal

We may have a winner!

Can someone with a good understanding of C please audit the patch below?
It seems to make 1.8.6p230 work correctly. It reverts Matz's "should
copy cref as well" patch, and I'm not clear on what that was intended to
do.

Robert Thau wrote:

FWIW, I managed to get 1.8.6p230 all the way through a Rails 2.0
app test suite without segfaults or glibc "corrupted memory"
complaints with the patch here:

  http://dev.smartleaf.com/misc/p230_fixit_patch.txt

This reverts changeset 17222 from the ruby_1_8_6 branch of the
main svn repository, which doesn't *look* security-related, at
least at first blush (though it may be a failed backport from
another line of development).

I ran this against the Rails 2.0 and RSpec 1.1.4 test
suites, no seg faults, no glibc errs, and the same set of tests
succeeded/passed between this patched version and the stock p111. It ran
fine against automateit 0.80607 and the various Rails apps I tried. This
is good.

As always, your milage may vary --- but I'm hoping this helps
someone with more detailed knowledge of MRI innards figure out
what's going on.

Same here. Thanks much for posting this!

Does anyone know how to contact the smartleaf folks and get them into
this discussion?

-igal

In article <b4734d2c636e7e0cabf04a53be206ebc@ruby-forum.com>,

On Mon, 23 Jun 2008 22:38:40 +0900
Hongli Lai <hongli@phusion.nl> mentioned:

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

eval.c doesn't pose a security fix as safe_level isn't secure by design.
It's just a couple of checks around some functions, nothing more. The patch
adds another one in eval.c

bignum.c fixes an integer overflow at some operations - this can't cause
security problems as I could see. It worth applying, though, thanks for
info.

webrick patches isn't relevant to freebsd in any way, since it fixes
a well known security holes in webrick on windows. These holes were
worked out a while ago (in fact several month or so).

Hongli Lai wrote:

Now that you mention it, Keita Yamaguchi sent me an eval.c security
patch a while back. Upon closer inspection it seems that this patch is
not included in the FreeBSD patch set, and neither is bignum.c.

The analysis Zed Shaw described in his blog was based on reviewing all
the changes made this month. Although this is more time consuming, it
also seems like the most methodical way of making sure we catch all the
relevant changes.

I've made an updated patch set:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

Excellent, thank you.

Was file.c vulnerable? I see a number of Windows fixes for file.c, but
it's not immediately clear whether the changes also include security
fixes.

If I recall correctly, a blog post (which I can't find at the moment)
suggested that some of this addressed general buffer overflow issues and
Windows-specific traversal attacks. So these may be worth considering.

-igal

Thomas Hurst wrote:
> FreeBSD backported the relevent patches to 1.8.6 p111, perhaps use
> those? I've certainly not had any problems with my Rails apps with it.

Thanks for the information, Thomas. Could you or someone else with
FreeBSD, as a favor, run the Rails and RSpec test suites with this new
version to determine how well these modified versions work?

rspec runs fine, though I needed to modify a regexp to work with my
Oniguruma patched install (an option of the FreeBSD port).

The Rails test suite mostly works; few failures wrt timezone support,
and a couple of odd ActiveRecord ones with sanitizing LIMIT
(add_limit_offset_should_sanitize_sql_injection_for_limit...), but
these could also be Oniguruma related.

However, does anyone know how the FreeBSD maintainers figured out what
to backport and what not to?

Well, you just follow the SVN history and cherry-pick the relevent
commits?