oss-sec mailing list archives
ruby regression (was: Re: [vendor-sec] Ruby memory corruption bugs in array and string handling)
From: Jonathan Smith <smithj () freethemallocs com>
Date: Tue, 24 Jun 2008 10:37:20 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Since this is public now, I'm CCing oss-security (and trimming the CC list of people known to be on that list). My comments are inline... Drew Yao wrote:
Also in case anyone was wondering about the comments on http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ the ruby version that was released to fix these introduced a regression. ruby -ve ’str = “A”*(2**16) ; loop{ str << str ; puts str.size }’
The above command does crash for me using ruby 1.8.6p230 on rPath Linux 2 or Foresight Linux 2. However, the test suite ("make test" in the build dir) passes. It was my understanding that the test suite should fail, given my reading of the forum thread linked to by the blog post Drew mentioned above: http://www.ruby-forum.com/topic/157034
causes a crash with 1.8.6p231 and 1.8.7p22.
Where did you get 1.8.6p231? The latest I see is 1.8.6p230, which, according to upstream's advisory [1], fixes the security issues.
That crash is fixed by this patch http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/string.c?r1=17530&r2=17529&pathrev=17530
Applying that patch, the segfault does go away. I get another (presumably correct) error message: - -e:1:in `<<': string sizes too big (ArgumentError) from -e:1 from -e:1:in `loop' from -e:1
This issue doesn't exist on versions of Ruby before the recent patches, because in the old versions, str_buf_append didn't exist. rb_str_buf_append takes two RString pointers, so if str and str2 are the same, when str->ptr gets realloced, str2->ptr also gets realloced. This also does not affect the patched version if you used the patches I sent originally.
Thanks for the info. [1]: http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREIAAYFAkhhPt8ACgkQCG91qXPaRelBOQCggJfnupOAUudgwoGeX5LY7Oq4 yFcAn0+DmKwFv258pEXcoGPE1YtYNRyg =72d4 -----END PGP SIGNATURE-----
Current thread:
- ruby regression (was: Re: [vendor-sec] Ruby memory corruption bugs in array and string handling) Jonathan Smith (Jun 24)