

Ruby Security Patches Lead to Segfaults - cbryan
http://www.ruby-forum.com/topic/157034#693698

======
throttle
...which further proves my point that Ruby is a bad, bad platform choice for
production applications right now. You just can't have this level of
insecurity, sloppiness, and unresponsiveness among the developers in a
platform you would use for serious applications. Maybe one day Ruby, Rails, et
al. will be ready for prime time, but it's just not now, IMO.

update: by Ruby I mean the standard Matz codebase.

~~~
eggnet
freebsd apparently agrees with you. They back ported the security fixes
instead of syncing up with the latest version.

<http://www.freshports.org/lang/ruby18/>

Maybe this is a lesson not to blindly use ruby without going through a trusted
distributor. Not unlike linux?

~~~
maw
Not just freebsd, of course. Backporting patches is standard practice for all
the serious Linux distributors as well.

------
jey
"Ruby Enterprise Edition" has a copy of the relevant patch here:
[http://blog.phusion.nl/assets/r8ee-security-
patch-20080623.t...](http://blog.phusion.nl/assets/r8ee-security-
patch-20080623.txt)

[from a quick skim of the patch:] The changes to array.c and string.c look
pretty worrying, seems like there are unchecked error conditions that aren't
too hard to exploit, possibly allowing buffer overflows in String.... e.g. any
code where the attacker could specify the right-hand-side argument to the in-
place string concatenation operators (String#concat and String#<<) may be
affected. Most string concatenations probably aren't in-place (using String#+
instead), but there's probably at least a handful of in-place string concats
in popular packages like Rails.

------
ROFISH
The "Ruby Enterprise Edition" team has backported their patches too.

Watch out if you have a non-standard directory though. For some strange reason
--with-prefix= didn't work for me and I had to manually change the prefix in
the configure script.

------
Tichy
Could anybody summarize: is it possible to use Ruby now or not?

~~~
jey
Possible? Sure. Dangerous? Maybe.

