

Multiple Ruby security vulnerabilities - brett
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

======
comatose_kid
tptacek's blog has some good info on this:

[http://www.matasano.com/log/1070/updates-on-drew-yaos-
terrib...](http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-
ruby-vulnerabilities/)

------
tptacek
Both String and Array have integer overflows. If an attacker can control the
size of a string or the index to a string or an array, they can control the
address in native memory where Ruby will write data.

The details of these vulnerabilities are _not_ under wraps; they were fixed in
commits labelled with their CVE numbers.

------
dfranke
Here's a fix for etch, since the security team hasn't released an advisory
yet:

<http://dfranke.us/rubyfix.txt>

------
ROFISH
a = Array.new

a[0x7fffffff] = 55

(irb):14: [BUG] Segmentation fault

Presumably this is one of the attack vectors that was fixed.

~~~
gaika
I'm getting a different error with x86_64, but probably not protected against
other bugs:

(irb):3:in `[]=': failed to allocate memory (NoMemoryError) from (irb):3:in
`irb_binding' from /usr/lib/ruby/1.8/irb/workspace.rb:52:in `irb_binding' from
/usr/lib/ruby/1.8/irb/workspace.rb:52

~~~
tptacek
sizeof(long) is different for you, and fixnum is 63(?) bits. Try
0x7fffffffffffffff.

------
timr
Anyone successfully running the patched version w/o segfaults?

~~~
chaostheory
looks like this is a common prob... I guess i need to migrate to jruby sooner
than I thought

