Ruby Enterprise Edition 1.8.6-20090610 released: fixes BigDecimal DoS vulnerability

By Hongli Lai June 10th, 2009

A denial of service vulnerability in Ruby had been found. An attacker could supply a large value to BigDecimal, causing the Ruby interpreter to crash. The following versions of Ruby are affected:

  • Ruby 1.8.6-p368 and all prior versions
  • Ruby 1.8.7-p160 and all prior versions
  • Ruby Enterprise Edition 20090520 and all prior versions

The following code demonstrates the problem:

require 'bigdecimal'
BigDecimal("9E69999999").to_s("F")

We are releasing Ruby Enterprise Edition 1.8.6-20090610, which is an emergency release containing a backport of the fix. All users are advised to upgrade. We have tested this release against RubySpec, the Rails 2.3 test suite and the Phusion Passenger test suite, and everything passes.

REE releases are usually hosted on RubyForge, but it’s currently down, so we’re temporarily hosting this release on our own web server. Please note that these links are temporary and will be replaced by RubyForge links once RubyForge is online again. (UPDATE: links point to RubyForge now)

To upgrade from a previous version, simply install into the same prefix that you installed to last time. Please also refer to the documentation for upgrade instructions.

Ruby Enterprise Edition

Comments

  1. Double Shot #471 « A Fresh Cup says:
    June 10, 2009 at 5:32 am

    [...] Rails applications. Here’s the official Ruby announcement. There’s also a patched Ruby Enterprise Edition that fixes [...]

  2. Tom Copeland says:
    June 10, 2009 at 11:20 am

    Sorry about that, back online now.

  3. Roderick van Domburg says:
    June 10, 2009 at 4:20 pm

    Thanks for the swift response.

  4. Shell Script to Upgrade Ruby Enterprise Edition while Maintaining Directory Naming Sanity « SmartLogic Solutions Blog says:
    June 10, 2009 at 8:24 pm

    [...] already aware, a denial of service (DoS) vulnerability in Ruby’s BigDecimal library was uncovered, fixed and reported on June 9, 2009. Patching options [...]

  5. Michael says:
    June 11, 2009 at 3:24 am

    Can anybody confirm that REE doesn’t break like described here:

    http://www.getharvest.com/blog/2009/06/ruby-denial-of-service-patch-breaks-bigdecimal-to_f-method/

    Thanks!

  6. hongli says:
    June 11, 2009 at 3:29 am

    Michael: REE is based on 1.8.6, so it doesn’t break BigDecimal#to_f.

  7. Michael says:
    June 11, 2009 at 3:32 am

    Thanks hongli for your quick reply!

    And by the way, as i’m already commenting, thanks for the great work on passenger and ree!

    Cheers,
    Michael.

  8. matte says:
    June 12, 2009 at 1:36 pm

    Is it necessary to reinstall the Apache Passenger module after the upgrade? I’m upgrading from 20090421.

    (e)

  9. hongli says:
    June 12, 2009 at 1:51 pm

    No. All REE releases so far are binary compatible so you don’t have to reinstall your gems if you are upgrading from an older version of REE.

  10. Crónica de una vida - Aviso a navegantes – Actualizar Ruby y Ruby enterprise -DoS says:
    June 16, 2009 at 4:09 pm

    [...] http://blog.phusion.nl/2009/06/10/ruby-enterprise-edition-186-20090610-released-fixes-bigdecimal-dos... [...]

  11. RUSSIAN BLACKEDITION » Blog Archive » Ruby / PODCAST Ruby NoName Podcast #12 says:
    June 22, 2009 at 8:40 pm

    [...] RubyEE fix for DoS [...]

Leave a comment