

Zed Shaw rant on Ruby Vulnerabilities - kevTheDev
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

======
tptacek
So, I read this, and I think, "it is surprising that Zed Shaw doesn't know
what a buffer overflow is". For instance, his "extensions" "overflow" is a
case where 2-3 character strings are "overflowing" a MAXPATHLEN buffer.

Favorite quote: "Seems like there’s some changes here to determine correct
stack direction on the native CPU. Why, that could be a stack smash exploit in
the making!" You go, Zed.

Two tips:

1\. It's Ruby. Go write the exploit. If you think it's the patch to bignum
(where the offset you're looking at only controls a load, not a store), write
the testcase and prove it.

2\. Read the code, not the diffs.

~~~
jrockway
_1\. It's Ruby. Go write the exploit. If you think it's the patch to bignum
(where the offset you're looking at only controls a load, not a store), write
the testcase and prove it._

Why should he? He doesn't care, he doesn't use Ruby anymore. You can rest
assured that someone else has already written the exploit, but is keeping it
to himself. So you can either fix the bug, or hope that the person with the
exploit doesn't use it on you.

Also, you should write correct code regardless of whether or not you think
it's exploitable. Right!?

~~~
tptacek
My point was that Zed doesn't seem to know what he's talking about. I'm not
sure you just said anything at all.

~~~
jrockway
It's true. He doesn't claim to know anything about the code. He is just trying
to expose the "secret fixes". His thesis (for all of his blog posts) is that
the Ruby community sucks. He did all this digging in the name of "proving"
that, not to help make Ruby better, nor to prove that he knows anything about
security.

Read the last line -- "I guess we’ll find out after the Ruby guys passively
aggressively kill me for looking at their open source and …. telling people
things."

------
ljlolel
For those who don't know, Zed Shaw is famous for 1\. creating mongrel among
other things; he's a good programmer 2\. his rant against some rails leaders:
<http://www.zedshaw.com/rants/rails_is_a_ghetto.html> .

His rants are hilariously inflammatory (although this one about the
vulnerabilities isn't particularly fiery).

It should be noted, however, that he's not crazy. I hear he's actually a
pretty nice guy in person.

""" If you haven’t noticed, I’m funny and enjoy having fun. Enjoy my site,
tell me if you use my projects. Don’t take it too seriously though, it’s all
an act. """ \- <http://www.zedshaw.com/index.html>

------
demallien
It's Zed Shaw, so who cares?

I mean, honestly, the writing is so bad that I can't even grasp what he is
getting so excited about. Is it because someone just introduced a bunch of
vulnerabilities into the MRI? Is it because someone just fixed a bunch of
potential security flaws? that's what it looks like in the code, but then I
don't get it, what's so bad about fixing bugs??? I think he's trying to say
that there is some secret juju going on, where special people get to find this
stuff out before others, but Zed never actually gets around to explain why he
feels that this is the case - it is after all open source, and everyone has
access to it.

Or maybe he feels that the fact that there was a delay of a couple of days
between the patches going live, and the actual announcement. Oh noes! It's the
end of the world! Quick, sue somebody!

Anyway, I've wasted too much time on this post as it is. Zed Shaw may actually
be a brilliant programmer, but considering his complete inability to be more
coherent than a Markhov chain generator, I'll never know it.

------
dfranke
I already posted this in the thread for the first article about this, but
since it was already off the front page: none of the Linux distributions have
released fixes for this yet, so I rolled my own for etch.
<http://dfranke.us/rubyfix.txt>

