Hey everyone, I know some of you have ran into the latest security fix causing SEGFAULTs in Rails applications. This is apparently due to changes in the class duplication code in Ruby, but I don''t have much more information. I do however have instructions for people who need these security fixes now. The very nice and smart Hongli created a patch for his Ruby2EE project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with some modification. PATCHING P114 Here''s how you can use it to patch p114. Grab the Ruby 1.8.6 p114 source, untar it, then cd into the source directory. You have to be in the source directory when you start this process. Not above it, not below it, right in it. I show you this command as the first thing. --------- $ cd ruby-1.8.6-p114 $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt ... 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'' saved [11939/11939] $ patch -p1 < r8ee-security-patch-20080623-2.txt patching file array.c patching file bignum.c patching file eval.c patching file intern.h patching file io.c patching file lib/webrick/httpservlet/filehandler.rb Reversed (or previously applied) patch detected! Assume -R? [n] n Apply anyway? [n] n Skipping patch. 4 out of 4 hunks ignored -- saving rejects to file lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c patching file string.c --------- Notice how I had to tell it to skip changes to Webrick? Nobody here runs webrick so that''s just fine. After this you can do the usual ./configure, make, make install and get your Ruby back. PATCHING P111 The process should be exactly the same, just you won''t have to tell it skip the patch to webrick. WHAT''s IN THIS PATCH? Hongli collected patches from the FreeBSD crew, and then pulled them together with a security fix in eval.c he was given. You can read the thread here: http://www.ruby-forum.com/topic/157034 The md5sum that I have for this patchfile is: 74405e3f4a0c1e0484c303a33c0a6f0d r8ee-security-patch-20080623-2.txt If your md5sum is different then I recommend contacting Hongli for help. Consider giving him money for a short consulting contract since he obviously knows his shit. THE CATCH: NOT TESTED BY ME Alright, so don''t go running out trying this shit without some testing. Not testing is what got everyone in this mess. All the bigger ruby players I know are doing this, and they say it works. Hongli is using it and it works for him. You are not a big ruby player or Hongli. So, test your stuff completely, then roll it out. Please report back to me if you have problems with the patch and/or if it works great for you so I can help some other folks out. Thanks people. Always looking out for ya. -- A1S9-4A: R.I.P. 6/21/08 Zed A. Shaw
Awesome! Thanks. Evan On Wed, Jun 25, 2008 at 10:01 AM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:> Hey everyone, > > I know some of you have ran into the latest security fix causing > SEGFAULTs in Rails applications. This is apparently due to changes in > the class duplication code in Ruby, but I don''t have much more > information. > > I do however have instructions for people who need these security fixes > now. The very nice and smart Hongli created a patch for his Ruby2EE > project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with > some modification. > > PATCHING P114 > > Here''s how you can use it to patch p114. Grab the Ruby 1.8.6 p114 > source, untar it, then cd into the source directory. You have to be in > the source directory when you start this process. Not above it, not > below it, right in it. I show you this command as the first thing. > > --------- > $ cd ruby-1.8.6-p114 > $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt > ... > 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'' > saved [11939/11939] > > $ patch -p1 < r8ee-security-patch-20080623-2.txt > patching file array.c > patching file bignum.c > patching file eval.c > patching file intern.h > patching file io.c > patching file lib/webrick/httpservlet/filehandler.rb > Reversed (or previously applied) patch detected! Assume -R? [n] n > Apply anyway? [n] n > Skipping patch. > 4 out of 4 hunks ignored -- saving rejects to file > lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c > patching file string.c > --------- > > Notice how I had to tell it to skip changes to Webrick? Nobody here > runs webrick so that''s just fine. After this you can do the > usual ./configure, make, make install and get your Ruby back. > > PATCHING P111 > > The process should be exactly the same, just you won''t have to tell it > skip the patch to webrick. > > WHAT''s IN THIS PATCH? > > Hongli collected patches from the FreeBSD crew, and then pulled them > together with a security fix in eval.c he was given. You can read the > thread here: > > http://www.ruby-forum.com/topic/157034 > > The md5sum that I have for this patchfile is: > > 74405e3f4a0c1e0484c303a33c0a6f0d r8ee-security-patch-20080623-2.txt > > If your md5sum is different then I recommend contacting Hongli for > help. Consider giving him money for a short consulting contract since > he obviously knows his shit. > > THE CATCH: NOT TESTED BY ME > > Alright, so don''t go running out trying this shit without some > testing. Not testing is what got everyone in this mess. All the > bigger ruby players I know are doing this, and they say it works. > Hongli is using it and it works for him. You are not a big ruby player > or Hongli. So, test your stuff completely, then roll it out. > > Please report back to me if you have problems with the patch and/or if > it works great for you so I can help some other folks out. > > Thanks people. Always looking out for ya. > > -- > A1S9-4A: R.I.P. 6/21/08 > Zed A. Shaw > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >-- Evan Weaver
On Wed, Jun 25, 2008 at 7:01 PM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:> Hey everyone, > > I know some of you have ran into the latest security fix causing > SEGFAULTs in Rails applications. This is apparently due to changes in > the class duplication code in Ruby, but I don''t have much more > information. > > I do however have instructions for people who need these security fixes > now. The very nice and smart Hongli created a patch for his Ruby2EE > project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with > some modification. > > PATCHING P114 > > Here''s how you can use it to patch p114. Grab the Ruby 1.8.6 p114 > source, untar it, then cd into the source directory. You have to be in > the source directory when you start this process. Not above it, not > below it, right in it. I show you this command as the first thing. > > --------- > $ cd ruby-1.8.6-p114 > $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt > ... > 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'' > saved [11939/11939] > > $ patch -p1 < r8ee-security-patch-20080623-2.txt > patching file array.c > patching file bignum.c > patching file eval.c > patching file intern.h > patching file io.c > patching file lib/webrick/httpservlet/filehandler.rb > Reversed (or previously applied) patch detected! Assume -R? [n] n > Apply anyway? [n] n > Skipping patch. > 4 out of 4 hunks ignored -- saving rejects to file > lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c > patching file string.c > --------- > > Notice how I had to tell it to skip changes to Webrick? Nobody here > runs webrick so that''s just fine. After this you can do the > usual ./configure, make, make install and get your Ruby back. > > PATCHING P111 > > The process should be exactly the same, just you won''t have to tell it > skip the patch to webrick. > > WHAT''s IN THIS PATCH? > > Hongli collected patches from the FreeBSD crew, and then pulled them > together with a security fix in eval.c he was given. You can read the > thread here: > > http://www.ruby-forum.com/topic/157034 > > The md5sum that I have for this patchfile is: > > 74405e3f4a0c1e0484c303a33c0a6f0d r8ee-security-patch-20080623-2.txt > > If your md5sum is different then I recommend contacting Hongli for > help. Consider giving him money for a short consulting contract since > he obviously knows his shit. > > THE CATCH: NOT TESTED BY ME > > Alright, so don''t go running out trying this shit without some > testing. Not testing is what got everyone in this mess. All the > bigger ruby players I know are doing this, and they say it works. > Hongli is using it and it works for him. You are not a big ruby player > or Hongli. So, test your stuff completely, then roll it out. > > Please report back to me if you have problems with the patch and/or if > it works great for you so I can help some other folks out. > > Thanks people. Always looking out for ya. >Thanks Zed, we are merging those with our own patches for Ruby One-Click Installer (MinGW version). Right now: 1564 tests, 14742 assertions, 6 failures, 50 errors I need to take a look at the tests patches too, since before I got only 3 failures :-D -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
On Thu, 26 Jun 2008 02:02:30 +0200 "Luis Lavena" <luislavena at gmail.com> wrote:> Thanks Zed, we are merging those with our own patches for Ruby > One-Click Installer (MinGW version). > > Right now: > 1564 tests, 14742 assertions, 6 failures, 50 errors > > I need to take a look at the tests patches too, since before I got > only 3 failures :-DIf you''re using the p114 branch, then those are related to changes in REXML and soap4r stuff. If you can find out how to make it all clean then great, but most people seem to not care about that. On the p111 it should be much better since p114 was when they added the soap and xml changes. -- A1S9-4A: R.I.P. 6/21/08 Zed A. Shaw
On Thu, Jun 26, 2008 at 3:25 AM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:> On Thu, 26 Jun 2008 02:02:30 +0200 > "Luis Lavena" <luislavena at gmail.com> wrote: > >> Thanks Zed, we are merging those with our own patches for Ruby >> One-Click Installer (MinGW version). >> >> Right now: >> 1564 tests, 14742 assertions, 6 failures, 50 errors >> >> I need to take a look at the tests patches too, since before I got >> only 3 failures :-D > > If you''re using the p114 branch, then those are related to changes in > REXML and soap4r stuff. If you can find out how to make it all clean > then great, but most people seem to not care about that. > > On the p111 it should be much better since p114 was when they added the > soap and xml changes. >Thankfully I was wrong, those were a mix of p230 results, sorry for the noise. Now we have 4 failures, +1 from the p114 which ruby-core told just to ignore because are some silly japanesse ruby on windows tests (yeah, I know, don''t get me started). Thank you man for the heads up, this add the 3rd patch to out collection based on p114, now fully automated to build One-Click Installer ;-) Take care, -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I turned this patch ( http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt ) into a Gentoo ebuild for 1.8.6p114. I removed the webrick diff as it was already fixed in p114. I tested it with Rails 2.1, 2.0 and 1.2 and I had no issues (just the same minor errors as with plain p114). http://takk.webreakstuff.com/~tmacedo/ruby-1.8.6_p114-r1.ebuild I''m going to deploy it to some applications that are already running on p114. Thanks for the help, Tiago Macedo Luis Lavena wrote: | On Thu, Jun 26, 2008 at 3:25 AM, Zed A. Shaw <zedshaw at zedshaw.com> wrote: |> On Thu, 26 Jun 2008 02:02:30 +0200 |> "Luis Lavena" <luislavena at gmail.com> wrote: |> |>> Thanks Zed, we are merging those with our own patches for Ruby |>> One-Click Installer (MinGW version). |>> |>> Right now: |>> 1564 tests, 14742 assertions, 6 failures, 50 errors |>> |>> I need to take a look at the tests patches too, since before I got |>> only 3 failures :-D |> If you''re using the p114 branch, then those are related to changes in |> REXML and soap4r stuff. If you can find out how to make it all clean |> then great, but most people seem to not care about that. |> |> On the p111 it should be much better since p114 was when they added the |> soap and xml changes. |> | | Thankfully I was wrong, those were a mix of p230 results, sorry for the noise. | | Now we have 4 failures, +1 from the p114 which ruby-core told just to | ignore because are some silly japanesse ruby on windows tests (yeah, I | know, don''t get me started). | | Thank you man for the heads up, this add the 3rd patch to out | collection based on p114, now fully automated to build One-Click | Installer ;-) | | Take care, -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkhjlmEACgkQxFuRTtCTMvIhqQCVEJmfcMGxjRh+31iMjnqxFjZC dACfZDnLfS0mEsByG7NAayMLp7YNs00=AExa -----END PGP SIGNATURE-----