Comments

Leave a response

1. bob on 21 Jun 03:08:
   

   Getting strange errors upgrading from 1.8.6p110 to 1.8.6p230

   ‘wrong argument type FalseClass (expected Proc)’

   for random bits of code after upgrading. Anyone know what’s going on? Google ain’t helping.

2. Mike Perham on 21 Jun 03:50:
   

   There are multiple people having problems with the upgrade from (in our case, 186-p114) to 186-p230.

   The error we are seeing is:

   method `respond_to?’ called on terminated object (0×7fffffefcf40)

   in:

   (eval):2:in `protect_against_forgery?’ vendor/rails/actionpack/lib/action_view/helpers/form_tag_helper.rb:404:in `extra_tags_for_form’

3. Jeremy Kemper on 21 Jun 04:08:
   

   I had segfaults on 1.8.6-p230 also. Hopefully we’ll see another release very soon. :(

4. Thorsten on 21 Jun 04:25:
   

   Dumb question: how can I tell which patch-level I have installed? ruby -v just says 1.8.5

5. Bret on 21 Jun 04:40:
   

   Is there any way to patch on Win32 without having MSVB?

6. Sven on 21 Jun 05:24:
   

   If ruby—version doesn’t work you can in principle determine your patchlevel with ruby -e ‘puts(RUBY_PATCHLEVEL)’ but this didn’t work for me either on one machine running 1.8.4. It seems to do the trick for me on 1.8.5 and 1.8.6.

7. Yaroslav on 21 Jun 05:58:
   

   Thorsten, if you’re on OS X, wait for Software Update patch, if you’re on Linux and installed your ruby from packages, wait for an update. If you’ve built it from source, you sure need to DL new version and rebuild ruby, but, ATM, people are getting segfaults.

8. Shawn Balestracci on 21 Jun 06:10:
   

   I’m getting segfaults on 1.8.5-p231 as well.

9. Jay on 21 Jun 06:18:
   

   Segfaults on both 1.8.5-p231 and 1.8.6-p230. So I’m stuck between a serious security vulnerability and a patched version that brings my site down within two requests. Wonderful!

10. aimee.mychores.co.uk on 21 Jun 09:17:
    

    Eeek! Ruby 1.8.6 p230 won’t let me run script/server! It’s giving a weird C error warning against possible data corruption:

    • glibc detected * double free or corruption (out): 0×0000000000daabc0 * Aborted

    Should i wait for another patch?

11. Simon on 21 Jun 09:52:
    

    This means the clean 1.8.5 version is ok ?

    ruby -v gives me: ruby 1.8.5 (2006-08-25)

12. Eivind Uggedal on 21 Jun 10:37:
    

    If you’re not one of those that feel vulnerabilities need to be kept secret, have a look at Zed’s look at the changes made in these latest versions.

13. Vladimir Sizikov on 21 Jun 17:01:
    

    Eivind, Zed actually performed lots of non-needed work, comparing the snapshots, while there is a nice svn and git log of all the changes, much better documenting why changes were made and what has been changed.

    There is no conspiracy here, and nothing is really was hidden. Everything is in the public repositories.

14. stas on 21 Jun 17:51:
    

    The version with fixed vulns is available in FreeBSD ports repo. You can try that if you’re a FreeBSD user.

15. Julik on 21 Jun 20:03:
    

    It would be very nice if Rails-core would have verified that the p230 actually works before saying “everyone upgrade”.

    I just wasted two hours of my time on this nonsense.

16. Eric Wong on 21 Jun 20:54:
    

    Until there’s a proven exploit on a non-broken web application, I don’t think these should be blown out of proportion.

    If your web application is halfway sane, the string and array overflow vulnerabilities should definitely not be a problem. If you deal with strings that are gigabytes in size or arrays with a billion elements; your application is already seriously broken and you’re vulnerable to a DoS anyways (or hardware manufacturers really love you).

    Mongrel already has hardcoded limits on all user input except uploaded file sizes; so unless you’re slurping an entire uploaded file into memory, arbitrary user input won’t kill you unless your app does something stupid with it.

    Iconv length check: only vulnerable if you’re converting part of a string with iconv.iconv… nobody actually uses that feature; do they?

    Unsafe alloca() with sprintf/%: as far as I know (and I could be wrong here), it’s not a problem with gcc; if it works for you now, this should always work unless you’re doing something stupid like passing a ridiculous number of arguments to format a string with.

    NULLs in filenames? Not sure why it’s a problem, POSIX file systems don’t allow NULL in pathnames anyways. And for truncated path names, either your application can open a file or it can’t. Shouldn’t be a problem if your file system has a proper permissions system; but maybe I’m missing something. (And I really don’t care for broken filesystems on Win32 or OSX).

    rb_str_cat() buffer overrun fixed in r16400 actually seems most interesting and likely to be a problem, and that was fixed well over a month ago. But maybe some malloc implementations compensate for common programmer errors like this and overallocate extra bytes and that’s why we haven’t seen Ruby crashing left and right.

17. Armin Ronacher on 21 Jun 21:09:
    

    About the NULL in Filenames:

    mitsuhiko@nausicaa:/tmp$ echo “Hello World” > myfile.txt mitsuhiko@nausicaa:/tmp$ irb irb(main):001:0> File.new(“myfile.txt\x00” + ”.html”).read => “Hello World\n”

18. Eric Wong on 21 Jun 21:28:
    

    Opening a file in that way is unexpected behavior and a bug, yes; but I don’t see how it’s a vulnerability.

    It’s not a path traversal issue; and File.exist?/File.stat already protect you from NULL bytes if you’re checking to see if you’ll clobber an existing file.

19. Thomas H. Ptacek on 22 Jun 05:47:
    

    Eric: You may want to retract that suggestion. You do not need to handle strings that are billions of bytes long to trip some of these vulnerabilities. People should patch as soon as is feasible.

20. website design on 22 Jun 08:01:
    

    The worst of these are in Array and String; they can coerce your Ruby interpreter to overwrite native memory at locations of an attackers choosing, if attackers control either the size of an object or the indices used to access them. You should probably assume attackers can do this, since most Ruby (and Python) code relies on exceptions and “nil” returns to catch these conditions.

21. Thomas H. Ptacek on 22 Jun 08:05:
    

    The “website design” comment copies a comment I made on Reddit, verbatim. Thanks, website design!

    Eric:

    “foo” and “foo\000” are the same filename as far as open(2) is concern, because open(2) is an ASCIIZ interface. But they aren’t the same Ruby string. If you implement access control based on filenames, and you don’t sanitize the names, you could have a problem.

22. Thomas H. Ptacek on 22 Jun 08:07:
    

    ... but then yeah, not sure why it helps to truncate the string. Never mind, thinking out loud.

23. Eric Wong on 22 Jun 10:20:
    

    So for the Array and String overflow bugs, it would only affect applications that were trivially DoS-able anyways (unless they run on machines with enormous amounts of RAM and sysadmins who don’t care). Basically applications that do stupid things like this:

    i = params[:index].to_i # params hash being untrusted user input return array[i] ? "found" : "not found"

    Patched Ruby or not (or even Perl), the above code is easily DoS-able. If attackers can control memory usage of an application like this, that app is already broken and whoever wrote it needs a serious LARTing.

    I’m not saying there’s not a problem in the changes that affect sane apps, but all the CVEs are still being under review and several days have gone by now with no exploits being published to my knowledge.

    Perhaps the focus has being on Array and String overflows is misdirection and there’s something else fixed we’re not paying enough attention to… tinfoil hat

24. Eric Wong on 22 Jun 10:22:
    Gah, I suck at HTML, missing newline between “input” and “return” i = params[:index].to_i # params hash being untrusted user input<br /> return array[i] ? "found" : "not found"

    But yeah, code like this should get people shot :)

25. Eric Wong on 22 Jun 10:26:
    

    OK, self-LART, posting on this blog is challenging because I’m an old fogey with large fonts causing horrible wrapping and my original post actually looks formatted right with regular font sizes :)

26. Anonymous on 22 Jun 10:56:
    

    “But yeah, code like this should get people shot :)”

    Why not educate them instead? ;)

27. toño on 22 Jun 14:59:
    

    same issue with segmentation fault… doh!

    anyone knows if there another patchlevel for fix that comming?

28. Thomas Ptacek on 22 Jun 16:02:
    

    array[params[:index].to_i] isn’t a trivial DoS, Eric. In Ruby, the language Rails is written in, that simply returns “nil”.

29. djwonk on 22 Jun 16:52:
    

    My staging box shows no segfaults with ruby 1.8.7 (2008-06-20 patchlevel 22) and Rails 2.1 (knock on wood)

30. aimee.mychores.co.uk on 22 Jun 21:28:
    

    Is the advice to go to Ruby 1.8.7 and Rails 2.1? Well, i am already on Rails 2.1 but having no luck whatsoever with Ruby 1.8.6 patch 230.

31. Eric Wong on 22 Jun 21:40:
    

    OK, nevermind, merely checking array[params[:index].to_i] is perfectly safe regardless of patchlevel, however assigning with array[params[:index].to_i] = "foo" is braindamaged and broken

32. Igal Koshevoy on 23 Jun 01:58:
    

    This is a Ruby bug, not a Rails bug, so I propose that we discuss it over on ruby-talk. Here’s the post: http://www.ruby-forum.com/topic/157034

    Here’s a copy of my post from that thread regarding this topic:

    All versions of MRI Ruby that claim to fix the vulnerabilities are either failing with segmentation faults or change the API in ways that make it impossible to run vital libraries such as Rails 2.0.x and RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and 1.9.0-2. Unfortunately, the source code describing some of the proposed fixes has been publicly available now for four days for crackers to write their attacks, so we’re in a race with the bad guys to deliver a solution.

    Is anyone working on fixing these bugs? If not, can we rally the community to get a bounty and/or code sprint going?

    Is there a way to convince the Ruby maintainers to run new code against the publicly-available test suites provided by RubySpec, Rails and Rspec before they ship a new version to avoid these problems in the future?

    Is there anything else that those of us which lack the necessary C expertise to fix these problems can do to help with this effort?

    Thank you.

    -igal

33. Robert Thau on 23 Jun 02:28:
    

    Count up another guy who’s having trouble with Ruby 1.8.6-p230, in my case on Debian Etch. I’m getting a segfault on “rake test:units”, and a fatal complaint about a double-free from glibc on “rake test:functionals”. My app is not on 2.1 yet, so 1.8.7 is not an option; any reports of success for anyone on 1.8.6-230?

34. Andrew Smithq on 23 Jun 02:50:
    

    Yet another person running Ruby-1.8.6-p230 on OS X and having problems. Hopefully this gets fixed quickly. Security leaks are bad but so are non-running applications!

35. John D on 23 Jun 03:08:
    

    Another voice to the masses, 1.8.6-p230 segfaults on my staging server when firing the first request through to mongrel.

36. Thijs on 23 Jun 07:55:
    

    Rails 2.1 causes the Proc issue to:

    wrong argument type FalseClass (expected Proc) if you do a form_remote_tag() do

37. aimee.mychores.co.uk on 23 Jun 08:22:
    

    Hello Robert, comment 33, i am also on Debian Etch and having the glibc double-free error.

    When i did a brand new Rails 2.1 scaffold i still had the segfault error. I think the only answer is to try 1.8.7.

38. Yeah, whatever on 23 Jun 09:15:
    

    “The details are still under wraps”

    Oh, good old security through obscurity again. That makes me feel much safer.

39. Hongli Lai on 23 Jun 11:30:
    

    Phusion has backported the security patches to 1.8.6-p111 and made a Ruby Enterprise Edition release based on that. This version is compatible with all your apps. See http://blog.phusion.nl/?p=35 for details.

40. Robert Thau on 23 Jun 12:41:
    

    ... and, to clarify, 1.8.7 is only an answer for people who can use Rails 2.1.

41. Joseph Riesen on 23 Jun 17:48:
    

    It’s probably going to be a while until the Windows builds out there catch up to the “safe” versions, so I decided to try and build 1.8.7-p22 from scratch, with VC8 (VS2005).

    In that regard, if anyone else has even tried this yet, have you had problems with the zlib extension when building 1.8.7 from source on Windows? Ruby itself builds without incident (though a bunch of its tests fail; then again, make test-all has a few failing tests on my Mac too)... but zlib segfaults whenever I try to do anything useful, e.g. gem install rails. Not sure if I’ve built zlib wrong (tried binaries and building from scratch, same problem)... wondering if someone dorked the zlib.so extension.

    FYI, 1.8.7-p22 and Rails 2.1.0 seem to run without any problems on Mac OS X.

42. Maurice Nonnekes on 23 Jun 18:40:
    

    In case anyone is interested, I’ve created some Debian packages (1.8.6p114) with the fixes in. These packages have no problem running older versions of Rails. There is also a simple step-by-step guide available, in case you want to build the packages yourself.

    http://www.zaypay.com/public/en/docs/blog

43. Dominique Brezinski on 23 Jun 19:26:
    

    FYI: these bugs are the same or closely related to issues I disclosed to ruby-core years ago. Ruby-core did not take them seriously and did not fix any of the issues. Only now that there is a large user base from the rails side does anyone in the ruby camp seem to care.

    Anybody running meaningful applications on rails, merb, etc. should seriously hold the ruby-core community responsible for not having a decent process in place for remediating security issues. Again, it has been known for years that the fundamental constructs used of memory allocation by String and Array (and everything else) are vulnerable to integer overflows and in general there is no sanity checking around stack allocations (alloca) in the ruby 1.8.X code.

44. Robert Thau on 23 Jun 20:09:
    

    Here’s a patch against 1.8.6-p230 which seems to get “rake test” on my app to pass with no complaints:

    http://dev.smartleaf.com/misc/p230_fixit_patch.txt

    This undoes changeset 17222 on the ruby_1_8_6 branch of the official svn repository (give or take the change to RUBY_PATCHLEVEL). At first blush, at least, the intended change doesn’t look security-related. If there’s anyone here who’d like to try this out, I’d appreciate it (as, perhaps, would other folks…)

45. Mogden on 24 Jun 04:32:
    

    So, er, what the hell are we supposed to do about this alert? I have a site in production, I have no idea if it’s really vulnerable since the problem isn’t spelled out, and when I upgrade to the recommended version, Rails barfs. I don’t really feel very good about running somebody’s home brew version of ruby on my production servers. Halp!

46. Robert Thau on 24 Jun 15:08:
    

    Well, most of the “homebrew” versions that are flying around are selections of patches from the official repository. Maurice above and the phusion guys are each trying to select only recent patches relevant to the announced vulnerabilities (though the phusion guys add their own storage-management patches, I believe), while my patch starts with p230 and undoes one particular change which seems to be at the root of the trouble.

    If you’re looking for the one closest to some official release, it’s probably what you get by taking “official” p230 and applying my patch (which is, itself, pretty much the output of “svn diff”; it restores class.c to its pre-17222 state and adds no new code.) On the other hand, that also means that you’ve still got all the other new stuff that the ruby core team tossed in, which was apparently less than perfectly tested.

    There’s no perfect option here, but I hope that helps.

47. Chess on 24 Jun 15:40:
    

    Any chance the Windows one-click installer can be upgraded to 1.8.7?

48. Thomas on 24 Jun 16:56:
    

    Seems as if there is no current ruby version available for win32, which matches the given patch-level, no matter if you would take 1.8.5, 1.8.6 or 1.8.7.

    One reason more, to have a deeper look at jruby and tomcat on windows. Does somebody use this combination for production (on windows).

49. SurviveStyle5 on 24 Jun 18:21:
    

    I just upgraded and tested in irb that the path works. I am running 2.0.2 rails. I can confirm that Actionpack seems to have a seg fault… RAILSROOT/vendor/rails/actionpack/lib/action_view/helpers/form_tag_helper.rb:404: [BUG] Segmentation fault ruby 1.8.6 (2008-06-20) [i686-linux]

50. Mr. K on 24 Jun 20:00:
    

    For those on 1.8.6 you may want to consider downgrading to 1.8.5 until this is worked out.

51. Robert Thau on 24 Jun 21:06:
    

    Errrmmm… people are also apparently having problems with the “security-patched” version of 1.8.5.

52. Anonymous on 25 Jun 10:07:
    

    Noun

    clusterfuck (plural clusterfucks)

    (vulgar) A chaotic mess similar to group rape. Its more precise usage describes a particular kind of Catch-22, in which multiple complicated problems mutually interfere with each other’s solution. The looser usage, referring to any chaotic situation, probably prevails.

53. Mark Kolesar on 25 Jun 14:01:
    

    After upgrading to ruby 1.8.6 (2008-06-20) with Rails 2.1, I got this error trying to load a page in my development environment served with WEBrick:

    /usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/core_ext/module/introspection.rb:60: [BUG] Segmentation fault ruby 1.8.6 (2008-06-20) [i386-linux]

    Solution: gem update activesupport

54. Robin Ward on 25 Jun 16:55:
    

    This is quite distressing. It has been days, and nothing from Ruby core.

55. Mogden on 25 Jun 17:39:
    

    I cannot believe the lack of response on this. It is extremely dismaying.

    What I’d expect from a platform that was supported in a serious fashion: an official release of Ruby that works with an official release of Rails that isn’t vulnerable, or a statement that the vulnerability isn’t anything to worry about.

56. Jason Crystal on 25 Jun 20:18:
    

    Just adding another voice; I’m experiencing the same seg-fault issues.

    /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_view/helpers/form_tag_helper.rb:431: [BUG] Segmentation fault ruby 1.8.6 (2008-06-20) [i686-linux]

57. Ken on 25 Jun 21:06:
    

    Robin & Mogden,

    I completely agree with you and to be honest, I’m pretty shocked. It would seem this isn’t a high priority with anyone. I think this is going to have a serious negative impact on the Ruby and the Rails community. It’s really an unacceptable situation.

58. Skip on 26 Jun 00:10:
    

    My site was built on rails. Maybe this is why I got hacked? I managed to retrieve my homepage but all the subpages and videos are gone :(

59. eden li on 26 Jun 00:19:
    

    For people hitting segfaults and other ruby weirdness, here’s the patch created by hongli lai that you can apply to ruby version 1.8.6 p11x:

    http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

    includes changes to: array.c, bignum.c, eval.c, intern.h, io.c, sprintf.c and string.c

    it barfs on webrick, but who runs that in production anyway…

    thanks to zed for the heads up on the mongrel list (tho he doesn’t vouch for the patch).

60. Mike on 26 Jun 23:31:
    

    There are now fixed ruby1.8 packages in Ubuntu, which appear to be working ok. Note that these are the old releases with the array/string patches backported.

61. Fadhli on 27 Jun 14:57:
    

    Yes. I can confirm with Mike on #60. Running fine after Ubuntu update release for Ruby1.8

62. Efren on 27 Jun 15:03:
    

    it barfs on webrick, but who runs that in production anyway…

    It barfs in Mongrel too. :(

63. Robin Ward on 27 Jun 15:52:
    

    I installed the Smartleaf p230 patch above and I can confirm that my Ruby app is running fine in production without any segfaults.

    If you want to stay on top of the vunerabilities, and are running 1.8.6, this seems to be the way to go.

64. alfredoj69@gmail.com on 27 Jun 20:27:
    

    I am running Fedora 9 and having the same segmentation fault. How do I patch ruby in my case?

    Does anybody know if there is an rpm upgrade for ruby?

65. Robin Ward on 28 Jun 18:07:
    

    Disregard what I said above about the smartleaf patch :(... After running for a while the memory usage of all my ruby processes climbed through the room. There are definitely memory leaks present.

66. nazrul on 28 Jun 19:15:
    

    I upgrade to ruby-1.8.6_p230 on slackware for production. Thank god everything seems fine with fcgi + apache at server side. but segfault if I try to run with webrick and mongrels. For time being i just downgrade back to ruby-p114 on my pc. :)

67. Terrific on 29 Jun 00:01:
    

    PROTIP: This is one of the reasons why people use Enterprisey™ languages/stacks over Ruby/Rails

68. JN2 on 29 Jun 09:32:
    

    I tried some of the above but couldn’t get 1.8.6/Rails 2.0.2 working on 64-bit FC8. So I bit the bullet and upgraded to Rails 2.1, but needed this sequence: - build Ruby 1.8.7-p22 from source - install RubyGems 1.2.0 - gem install rails - gem install mongrel - gem install mongrel_cluster

69. Petros on 30 Jun 06:46:
    

    I am having the same segfaults problems after updated to ruby 1.8.6 p230. Webrick and mongrel crash. Phusion passeger works fine. Can anyone suggest a solution to the problem? i am using fedora 8 as operating system.

70. nouetp on 30 Jun 14:40:
    

    As far as I can tell, none of these versions/patches (except 1.9) are fully resolving the string aspect of this issue: ruby -v ruby 1.8.6 (2008-06-20 patchlevel 230)

    irb(main):001:0> s = “A” * (2**16); nil => nil irb(main):002:0> while 1; s << s; puts s.size; end 131072 (irb):2: [BUG] Segmentation fault ruby 1.8.6 (2008-06-20) [i686-linux]

    Aborted

71. Mike Hodgson on 30 Jun 23:49:
    

    For those on Windows: http://mikehodgson.com/archives/2008/6/30/updated_unofficial_ruby_oneclick_installer

    Updates Ruby to 1.8.6p114 with the patches from the Phusion guys.

72. Angry Gecko on 01 Jul 20:07:
    

    It’s been a freaking week, and we STILL DON’T HAVE A VIABLE FIX!!

    Maybe Zed was right—Rails is a Ghetto!

    This is craptacular quality control, and we Developers are expected to build enterprise solutions on top of a broken stack?!

73. calm frog on 02 Jul 15:42:
    

    Hey angry gecko – check out this solution and test and let us all know your results (and yes it’s 8 days old)

    Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs http://rubyforge.org/pipermail/mongrel-users/2008-June/005449.html

    adam.

74. Igal Koshevoy on 02 Jul 18:25:
    

    @Robin Ward – Re: memory leaks in p230

    The memory leak is probably not caused by the patch, but by the Ruby code added between p114 and p230. That new code will likely be the basis of the next official release, so it’d be best to identify the problem ASAP.

    Another user in ruby-talk is reporting a memory leak in their p230, but isn’t sure how to reproduce it. If you or anyone else can provide code for reproducing the leak, please get in touch at ruby-talk or its online front end at http://www.ruby-forum.com/topic/157034#697304

    Thanks!

75. Mike on 02 Jul 21:53:
    

    nouetp: I don’t see that issue with the patched Ruby 1.8.6 in Ubuntu:

    irb> s = “A” * (2**16); nil => nil

    irb> while 1; s << s; puts s.size; end

    131072 ... 1073741824

    ArgumentError: string sizes too big from (irb):4:in `<<’ from (irb):4 from :0

76. Igal Koshevoy on 02 Jul 23:25:
    

    WARNING: Do not use Ruby 1.8.6 releases p230 through p238 in production! There are bugs in the Ruby interpreter that cause it to leak memory. Please use a Ruby release that’s based on a patched version of the p111 or p114 code until this is resolved.

    I’ve put together code which demonstrates this at: http://pastie.org/226715

77. T. C. on 08 Jul 19:29:
    

    ---

    From: http://weblog.rubyonrails.org/ (This Week in Rails (June 26, 2008))

    “As previously reported by Jeremy Kemper, serious vulnerabilities have been discovered for the main Ruby implementations. The official advisory suggests an upgrade path, but there have been several reports of segmentation faults when using Rails with the patched Ruby 1.8.5 and 1.8.6 versions. The Phusion team has published a patch for Ruby 1.8.6-p111, but as things stand now, it hasn’t been included by the Ruby core team (yet).”

    ---

    When is the patch going to be included by Ruby core team. Will there be an OFFICIAL PATCH?

    I’m using Ruby 1.8.4 (Rails version 1.2.2). My application is running on Linux (under Apache2). I’d really appreciate simple instruction to upgrade to the version with the fix.

    I’m looking for the path of least resistance.

78. manikandan on 18 Jul 04:34:
    

    May i know what p230 stands for In 186-p230??