back to article Ruby flaws send security researchers into shock

Developers have patched five vulnerabilities in the open-source programming language Ruby that could provide a trivial way for attackers to exploit a variety of web applications. The vulnerabilities affect versions 1.8 and 1.9 and could lead to remote execution of malicious code or denial of service, this advisory warns. The …

COMMENTS

This topic is closed for new posts.
  1. F Seiler

    off topic?

    "open source language" doesn't quite compute here.

    Is it an open source language compiler (/interpreter) that you refer to, or a publicly documented language ?

    I suspect the first, as vulnerabilities match better to actual software than language features, but you never know :) (Actually i'm not really sure the latter makes even sense here since, isn't every programming language "exploitable" in at least a thousand ways, thus it were not a story...)

  2. JoePritchard

    If this were ASP.NET.... ;-)

    Yes, every language has errors in it that make it exploitable.

    Here, the exploits can be carried out with crafted user input from applications developed with the language.

    I've nothing against Ruby on Rails, but I'm sure that were this a similar issue with ASP.NET the pitchforks would already be being sharpened and the brands lit for an ol' style mob storming of the barricades.... :-)

  3. Anonymous Coward
    Flame

    Rails remains a bad joke

    Here's another (welcome) nail in the coffin of the only framework really "worthy" of Web 2.0. And you know what I mean by worthy. It doesn't scale, its developers are all primadonnas who don't understand what "scale" even means, there's no formal language spec, and now this lousy bit of implementation right in the heart of Ruby. I wish the JAVA ticker symbol actually represented Java, cause I'd be buying some right now.

  4. Anonymous Coward
    Anonymous Coward

    @F Seiler

    The details are under some kind of embargo at the moment, so it's impossible

    to do anything about the problem other than install their patches...

    Philosophy aside however, the patches are to the interpreter so I guess that's

    where the problem lies. Your point about the spec is facetious since Ruby is

    specified by its implementation rather than having a laid down formal grammar.

  5. chuBb.
    Joke

    ummmmmm

    "The flaws were discovered by Drew Yao of Apple Product Security."

    Apple has a product security department????

  6. Pavel Tcholakov
    Thumb Down

    But Java's so fat and bloated man, and Ruby's like cool and stuff

    One of the major concerns I had about Rails was the utter lack of security support at the framework level. It wouldn't surprise me if most apps out there have tons of holes simply because there is no standard way of securing them. But vulnerabilities at the language level - ouch!

  7. Magnus

    @JonB

    "specified by its implementation rather than having a laid down formal grammar"

    I think that was rather his point. Yes, that does indeed mean that he seriously dislikes the design philosophy Ruby is based on.

  8. Anonymous Coward
    Anonymous Coward

    More info

    From Fedora's SRPMS dir you can download ruby-1.8.6.230-1.fc10.src.rpm, and the following comment is in ruby.spec:

    %changelog

    * Tue Jun 24 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-1

    - New upstream release.

    - Security fixes. (#452295)

    - CVE-2008-1891: WEBrick CGI source disclosure.

    - CVE-2008-2662: Integer overflow in rb_str_buf_append().

    - CVE-2008-2663: Integer overflow in rb_ary_store().

    - CVE-2008-2664: Unsafe use of alloca in rb_str_format().

    - CVE-2008-2725: Integer overflow in rb_ary_splice().

    - CVE-2008-2726: Integer overflow in rb_ary_splice().

    - ruby-1.8.6.111-CVE-2007-5162.patch: removed.

    - Build ruby-mode package for all archtectures.

    You can also read http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_230/ChangeLog - search for "CVE" and "overflow".

  9. Peyton

    "open source language"

    This doesn't have to mean "the language is licensed under an open source license" - he could simply mean a language commonly employed in open-source projects rather than closed source apps.

    @chuBb - too funny =D

  10. Francis Fish
    Flame

    Re: "Rails remains a bad joke" and "But Java's so fat and .. "

    AC: Have you ever used it? I bet you are a Java programmer.

    Pavel - do you actually have any evidence? There's a lot of security built in, and, if you follow the standard guidelines, you can avoid stuff like SQL and Javascript injections out of the box, plus Rails 2 has had session management improved to avoid man in the middle attacks.

    What are you talking about? Where is your evidence??

    Or are you just anti because it's suddenly become cool to be anti?

  11. Anonymous Coward
    Paris Hilton

    @ Francis Fish "Have you ever used it?"

    Yes, Frank, I've used Ruby. If I remember right, my last job was CTO at a company whose entire product is built on Rails. So, you lose the bet. You can pay up by giving DHH a handjob for me.

  12. Anonymous Coward
    Anonymous Coward

    "Ruby is specified by its implementation"

    nnyeees... We're making it up as we go along?

  13. Anonymous Coward
    Thumb Down

    Cure worse than the disease?

    Just to make life interesting - the "fixed" 1.8.6p230 introduces bugs which cause Rails 2.0.2 to crash, either with errors like "wrong argument type FalseClass (expected Proc)" or good old-fashioned segfaults.

    http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

  14. Anonymous Coward
    Coat

    Ruby on Ruby

    You know, if the Ruby interpreter had been re-implemented in Ruby, there wouldn't be a problem...

  15. Anonymous Coward
    Boffin

    @ JonB

    Ruby is "specified by its implementation"?

    Uhh, then why did they fix this bug?

This topic is closed for new posts.

Other stories you might like