DoS Vulnerability in Ruby (CVE-2009-1904)

113 views
Skip to first unread message

Michael Koziarski

unread,
Jun 9, 2009, 7:59:56 PM6/9/09
to rubyonrail...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A Denial of Service vulnerability has been found and fixed in ruby. The
vulnerability is due to the BigDecimal method mishandling certain large
input values and can cause the interpreter to crash. This could be used
by an attacker to crash any ruby program which creates BigDecimal
objects based on user input, including almost every Rails application.
This vulnerability has been assigned the CVE name CVE-2009-1904.

For upgrade instructions and information on affected ruby versions
please see the ruby security team's announcement[1].

All users are advised to upgrade their ruby installations immediately to
avoid this problem. In the event that you are unable to upgrade your
ruby installation, or are using an out-of-maintenance ruby version,
there is a workaround available on github[2]. You can either install it
as a gem, or simply copy the file bigdecimal-segfault-fix.rb[3] into
config/initializers of your rails application.

NOTE: this workaround breaks valid formats supported by BigDecimal,
users should not rely on this fix for an extended period of time but
should instead immediately begin planning a migration to a supported
ruby release.

The upcoming Rails 2.3.3 release will include some minor mitigating
changes to reduce some potential attack vectors for this vulnerability.
However these mitigations will not close every potential method of
attack and users should still upgrade their ruby installation as soon as
possible.

Thanks to Jose Fernández for reporting the vulnerability to the rails
security team, and to the ruby security team for confirming the nature
of the bug and handling the release process.

[1]
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
[2] http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master
[3] http://xrl.us/bevzxs

- -- Michael Koziarski mic...@koziarski.com
- --
Cheers,

Koz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKLvd73CszDRD2lfMRAoxJAJ9qTyOT0GqNRAWdAKVoT4qtHVTsZACeOc9U
gOA6rrsveBSdM6B8vksM4FY=
=Qg9R
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages