New Vulnerabilities Discovered in Ruby (August 2008)

By Peter Cooper



Photo by JL2003 - CC 2.0 Attribution License

In June, a serious security advisory was put out about the official (MRI) Ruby interpreter for all versions prior to 1.8.5, 1.8.6 prior to patch 231, 1.8.7 prior to patch 22, and 1.9.0 prior to 1.9.0-2. Now (August 8, 2008) a new set of vulnerabilities have been discovered and announced. They affect all 1.8.5 releases, 1.8.6 patch 285 and prior, 1.8.7 patch 70 and prior, and Ruby 1.9 r18423 and prior. This almost certainly means an upgrade is required for most users as all but very recent versions are affected.

The vulnerabilities discovered this time around aren't, on the surface, quite as serious as those last time around. Several vulnerabilities in safe level have been discovered (essentially there are some clever ways of getting around a few safe level restrictions), WEBrick's default file handler has a bug that results in certain operations taking exponential time, resolv.rb is open to the recently popularized DNS spoofing tactics, and dl doesn't check whether variables used in calling functions are tainted or not. These issues are all covered on the official Ruby news page about the vulnerabilities, along with some advice on how to upgrade.

Upgrading to the latest stable version is always a good idea (assuming you check if your apps will still work - Rails had/has problems with certain 1.8.6/1.8.7 versions) but if you're sure you (and your libraries!) are not using any of the features mentioned above, this set of vulnerabilities doesn't present any reason to panic, unless you're heavily reliant on safe mode or allow tainted variables to even reach something as powerful as dl.