June 2008 Ruby Security Advisory: A Summary
Photo by JL2003 - CC 2.0 Attribution License
The official Ruby blog is reporting "multiple vulnerabilities" in the official Ruby interpreter (MRI). A significant number of versions are affected:
- All versions prior to 1.8.5
- All 1.8.5 versions prior to patch 231
- All 1.8.6 versions prior to patch 230
- All 1.8.7 versions prior to patch 22
- All 1.9.0 versions prior to 1.9.0-2
Jeremy Kemper, at the official Rails blog, advised upgrading immediately, but with the warning that Ruby 1.8.7 only works with Rails 2.1 and later. Numerous commenters, however, have noted significant issues with Rails applications once they've upgraded to Ruby 1.8.6p230 and 1.8.5p231. A poster on RubyFlow suggests Ruby 1.8.6-p230 is not compatible with Rails at all, although others have reported success.
What are the problems?
*** **** has put together a pretty detailed look at what the actual defects are (mostly "general buffer overflow defects, signed integer problems, and path traversal problems").
Eric Monti has posted code examples to demonstrate some issues.
Is it urgent?
It appears that while this is a significant security advisory, and you should be paying attention, there's no 0-day urgency on this as Eric Wong highlights. Walk, but don't run, to the exit. Eric Monti, on the other hand, seems to be quite worried by the security vulnerabilities.
If you're only running your own scripts on your own local machine (that is, not a public-facing Web app), you might be better off waiting for your operating system's packaging system to update Ruby for you (whether on Linux or OS X). The security issues were discovered by Drew Yao of Apple who has suggested a OS X update for this will be going out soon, so it's reasonable to wait for that if you're on OS X.
My personal advice (which is, as noted by Thomas H. Ptacek, "spectacularly bad") is that unless you're already itching to upgrade out of panic, just make sure you're familiar with where all your Ruby deployments are, what versions they're running now, and that you have a good idea of how to upgrade them. Then unless you're confident about upgrading and running tests straight away, I'd wait until a lot more positive noises are coming out of Rails developers upgrading to the latest versions, especially surrounding Ruby 1.8.6p230.
Update: In comments, Thomas H. Ptacek says:
The “walk don’t run” sentiment is dead wrong. You do not need to handle multi-gigabyte strings to trip these vulnerabilities; you just need code that can be coerced into using broken indices. It’s spectacularly bad advice to suggest that people should continue to run code with known memory corruption vulnerabilities.
Quite why anyone would have code that relies on any unchecked / unsanitized data is beyond me, but it's worth keeping in mind if you do. So, panic if you want, but even if you don't, you'll probably still be alive and this news will be forgotten within a week or two.