A Denial of Service vulnerability has been found and fixed in ruby. The
vulnerability is due to the BigDecimal method mishandling certain large
input values and can cause the interpreter to crash. This could be used
by an attacker to crash any ruby program which creates BigDecimal
objects based on user input, including almost every Rails application.
This vulnerability has been assigned the CVE name CVE-2009-1904.
For upgrade instructions and information on affected ruby versions
please see the ruby security team's announcement.
All users are advised to upgrade their ruby installations immediately to
avoid this problem. In the event that you are unable to upgrade your
ruby installation, or are using an out-of-maintenance ruby version,
there is a workaround available on github. You can either install it
as a gem, or simply copy the file bigdecimal-segfault-fix.rb into
config/initializers of your rails application.
NOTE: this workaround breaks valid formats supported by BigDecimal,
users should not rely on this fix for an extended period of time but
should instead immediately begin planning a migration to a supported
The upcoming Rails 2.3.3 release will include some minor mitigating
changes to reduce some potential attack vectors for this vulnerability.
However these mitigations will not close every potential method of
attack and users should still upgrade their ruby installation as soon as
Thanks to Jose Fernández for reporting the vulnerability to the rails
security team, and to the ruby security team for confirming the nature
of the bug and handling the release process.
- -- Michael Koziarski mic...@koziarski.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----