Backported security patches on Ruby 1.8.6-p114 for debian
August 4 2008 by Maurice Nonnekes
Blog?
Few people know that our recently launched service Zaypay is built on Ruby on Rails. The plan was to start a blog here soon. You know, one about the way we use Rails and the things we ran into that might be of interest to other developers. Recent security problems with Ruby however call for this blog to be bootstrapped right away: quick and dirty.
Update: It has been suggested that the patch used in the previous packages wasn’t complete. Because of this, a new set of packages were created with a more comprehensive patch, based on r8ee-security-patch-20080623-2.txt. It’s basicly the same patch, minus the changes to filehandler.rb, which are already included in the backports version of Ruby 1.8.6p114. Thanks to the folks at Phusion.
The problem
Why the hurry? Recent findings by Drew Yao at Apple indicate security issues with all versions of Ruby that were known at that point in time. The Ruby-developers pushed out fixes that also seemed to include other ‘improvements’ that caused a lot of people to have segfaults (basicly everyone not running Ruby 1.8.7 with rails 2.1) on Linux and ‘lockups’ on MacOS X.
Solution #1
It seemed the only options were to remain vulnerable or have a broken app. The FreeBSD people had extracted some of the fixes in patch form which were used to create earlier packages on this page, but it turns out that the people from Phusion have created a more comprehensive patch for their “Ruby Enterprise Edition” software. We decided to create our own Ruby-packages (for debian lenny/unstable) working with the Ruby 1.8.6p114 source packages from backports and the above mentioned patch. The binary debian packages for Debian/lenny i386:
- irb1.8_1.8.6.114-2~bpo40+1_all.deb
- libdbm-ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- libgdbm-ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- libopenssl-ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- libreadline-ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- libruby1.8-dbg_1.8.6.114-2~bpo40+1_i386.deb
- libruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- libtcltk-ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
- rdoc1.8_1.8.6.114-2~bpo40+1_all.deb
- ri1.8_1.8.6.114-2~bpo40+1_all.deb
- ruby1.8-dev_1.8.6.114-2~bpo40+1_i386.deb
- ruby1.8-elisp_1.8.6.114-2~bpo40+1_all.deb
- ruby1.8-examples_1.8.6.114-2~bpo40+1_all.deb
- ruby1.8_1.8.6.114-2~bpo40+1_i386.deb
dpkg -i <package-1.deb> <package-2.deb>If you have any dependency problems, try specifing all the .deb packages in a single dpkg -i command.
Solution #2
If you’re not using Debian/lenny on an i386 platform, or if you’re too paranoid to use our packages, here is a simple set of instructions to build your own Debian packages:
- Download ruby1.8_1.8.6.114.orig.tar.gz and ruby1.8_1.8.6.114-2~bpo40+1.diff.gz from Backports and the modified-”Ruby Enterprise Edition” patch here.
- Untar the original source and apply the debian patch and the modified-”Ruby Enterprise Edition” patch:
# tar xzf ruby1.8_1.8.6.114.orig.tar.gz # cd ruby-1.8.6-p114 # gzip -cd ../ruby1.8_1.8.6.114-2~bpo40+1.diff.gz |patch -p1 # patch -p1 < ../modified-r8ee-security-patch-20080623-2.txt - Make sure you have all the tools available to build this package:
# apt-get build-dep ruby1.8 # apt-get install fakeroot - Make debian/rules executable and run the debian package builder:
# chmod +x debian/rules
# dpkg-buildpackage -rfakeroot -uc -b
Alternative Resources
Here is a list of websites that are relevant to this topic:
- There is a discussion going on, on the RoR weblog.
- Matasano has a couple of simple tests for irb to check if your ruby is vulnerable or not.
- The Ruby Forum also has a relevant discussion.
