[ruby-list:48583] [ANN] ruby 1.8.7 patchlevel 357 released

Hello all.

We have been releasing annual ruby versions for over a decade in
this season. This is one for this year. We have fixed several
bugs today. One of them is to fix CVE-2011-4815 (a more detailed
situation about the issue is to follow this mail). So everyone
who uses 1.8.7 should consider upgrading.

For details, please read the ChangeLog as usual.

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.zip

Checksums:

MD5(ruby-1.8.7-p357.tar.gz)= b2b8248ff5097cfd629f5b9768d1df82
SHA256(ruby-1.8.7-p357.tar.gz)= 2fdcac4eb37b2eba1a4eef392a2922e07a9222fc86d781d92154d716434b962c
SIZE(ruby-1.8.7-p357.tar.gz)= 4895136

MD5(ruby-1.8.7-p357.tar.bz2)= 3abd9e2a29f756a0d30c7bfca578cdeb
SHA256(ruby-1.8.7-p357.tar.bz2)= 5c64b63a597b4cb545887364e1fd1e0601a7aeb545e576e74a6d8e88a2765a37
SIZE(ruby-1.8.7-p357.tar.bz2)= 4208157

MD5(ruby-1.8.7-p357.zip)= 23efe7ba50458f8df691c7fa07ce0578
SHA256(ruby-1.8.7-p357.zip)= b7672524ecac77e7f4bdbbfa5521109a0ef514d22bc726bad073d83b6044d445
SIZE(ruby-1.8.7-p357.zip)= 5994841

Have a happy new year,

Subject:

Denial of service attack was found for Ruby’s Hash algorithm

Impact:

This is something related to computational complexity. Specially
crafted series of strings that intentionally collide their hash values
each other was found. With such sequences an attacker can issue a
denial of service attack by, for instance, giving them as POST
parameters of HTTP requests for your Rails application.

Detailed description:

The situation is similar to the one found for Perl in 2003. In 1.8
series of Ruby, we use a deterministic hash function to hash a string.
Here the “deterministic” means no other bits of information than the
input string itself is involved to generate a hash value. So you can
precalculate a string’s hash value beforehand. By collecting a series
of strings that have the identical hash value, an attacker can let
ruby process collide bins of hash tables (including Hash class
instances). Hash tables’ amortized O(1) attribute depends on
uniformity of distribution of hash values. By giving such crafted
input, an attacker can let hash tables work much slower than expected
(namely O(n2) to construct a n-elements table this case).

Affected versions:

• Ruby 1.8.7-p352 and all prior versions.

All Ruby 1.9 series are not affected by this kind of attack. They do
not share hash implementations with Ruby 1.8 series.

Solution:

Our solution is to scramble the string hash function by some
PRNG-generated random bits. By doing so a string’s hashed value is no
longer deterministic. That is, a String#hash result is consistent
only for current process lifetime and will generate a different number
for the next boot. To break this situation an attacker must create a
set of strings which are robust to this kind of scrambling. This is
believed to be quite difficult.

Please upgrade to the latest version of ruby via my previous post.

http://mla.n-z.jp/?ruby-talk=391606

Notes:

• Bear in mind that the solution does not mean our hash
  algorithm is cryptographically secure. To put it simple, we fixed
  the hash table but we didn’t fix String#hash weakness. An
  attacker could still exploit it once he / she got a pair of a string
  and its hash value returned from String#hash. You must not
  disclose String#hash outputs. If you need to do such things,
  consider using secure hash algorithms instead. Some of them (such
  as SHA256) are provided in Ruby’s standard library.

• For those who knows alternative hash algorithms inside our code
  base: we do not support them (they are disabled by default). By
  choosing them we consider you can read C, and you can understand
  what was wrong with the default one. Make sure that your choice is
  safe at your own risk.

Credit:

Credit to Alexander Klink alexander.klink-RWCCyZD2/2AAvxtiuMwx3w@public.gmane.org and Julian
Waelde jwaelde-RCUrBZHvLvKSHq+C5vT0LZQlNPQFfrerqZSUQi4AVrg@public.gmane.org for reporting this
issue.

-----Messaggio originale-----

-----Messaggio originale-----
Inviato: mercoledì 28 dicembre 2011 14:33
Hash algorithm

Subject:

Denial of service attack was found for Ruby's Hash algorithm

Impact:

This is something related to computational complexity. Specially
crafted series of strings that intentionally collide their hash values
each other was found. With such sequences an attacker can issue a
denial of service attack by, for instance, giving them as POST
parameters of HTTP requests for your Rails application.

Detailed description:

The situation is similar to the one found for Perl in 2003. In 1.8
series of Ruby, we use a deterministic hash function to hash a string.
Here the "deterministic" means no other bits of information than the input
string itself is involved to generate a hash value. So you can
precalculate a string's hash value beforehand. By collecting a series of
strings that have the identical hash value, an attacker can let ruby
process collide bins of hash tables (including `Hash` class
instances). Hash tables' amortized O(1) attribute depends on
uniformity of distribution of hash values. By giving such crafted
input, an attacker can let hash tables work much slower than expected
(namely O(n2) to construct a n-elements table this case).

Affected versions:

- Ruby 1.8.7-p352 and all prior versions.

All Ruby 1.9 series are not affected by this kind of attack. They do not
share hash implementations with Ruby 1.8 series.

Solution:

Our solution is to scramble the string hash function by some
PRNG-generated random bits. By doing so a string's hashed value is no
longer deterministic. That is, a `String#hash` result is consistent
only for current process lifetime and will generate a different number for
the next boot. To break this situation an attacker must create a set of
strings which are robust to this kind of scrambling. This is believed to
be quite difficult.

Please upgrade to the latest version of ruby via my previous post.

http://mla.n-z.jp/?ruby-talk=391606

Notes:

* Bear in mind that the solution _does_ _not_ _mean_ our hash
  algorithm is cryptographically secure. To put it simple, we fixed
  the hash table but we didn't fix `String#hash` weakness. An
  attacker could still exploit it once he / she got a pair of a string
  and its hash value returned from `String#hash`. You _must_ _not_
  disclose `String#hash` outputs. If you need to do such things,
  consider using secure hash algorithms instead. Some of them (such
  as SHA256) are provided in Ruby's standard library.

* For those who knows alternative hash algorithms inside our code
  base: we do not support them (they are disabled by default). By
  choosing them we consider you can read C, and you can understand
  what was wrong with the default one. Make sure that your choice is
  safe at your own risk.

Credit:

Credit to Alexander Klink <alexander.klink@nruns.com> and Julian
Waelde <jwaelde@cdc.informatik.tu-darmstadt.de> for reporting this
issue.