[Mongrel] Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs
Zed A. Shaw
zedshaw at zedshaw.com
Wed Jun 25 13:01:21 EDT 2008
I know some of you have ran into the latest security fix causing
SEGFAULTs in Rails applications. This is apparently due to changes in
the class duplication code in Ruby, but I don't have much more
I do however have instructions for people who need these security fixes
now. The very nice and smart Hongli created a patch for his Ruby2EE
project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with
Here's how you can use it to patch p114. Grab the Ruby 1.8.6 p114
source, untar it, then cd into the source directory. You have to be in
the source directory when you start this process. Not above it, not
below it, right in it. I show you this command as the first thing.
$ cd ruby-1.8.6-p114
$ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'
$ patch -p1 < r8ee-security-patch-20080623-2.txt
patching file array.c
patching file bignum.c
patching file eval.c
patching file intern.h
patching file io.c
patching file lib/webrick/httpservlet/filehandler.rb
Reversed (or previously applied) patch detected! Assume -R? [n] n
Apply anyway? [n] n
4 out of 4 hunks ignored -- saving rejects to file
lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c
patching file string.c
Notice how I had to tell it to skip changes to Webrick? Nobody here
runs webrick so that's just fine. After this you can do the
usual ./configure, make, make install and get your Ruby back.
The process should be exactly the same, just you won't have to tell it
skip the patch to webrick.
WHAT's IN THIS PATCH?
Hongli collected patches from the FreeBSD crew, and then pulled them
together with a security fix in eval.c he was given. You can read the
The md5sum that I have for this patchfile is:
If your md5sum is different then I recommend contacting Hongli for
help. Consider giving him money for a short consulting contract since
he obviously knows his shit.
THE CATCH: NOT TESTED BY ME
Alright, so don't go running out trying this shit without some
testing. Not testing is what got everyone in this mess. All the
bigger ruby players I know are doing this, and they say it works.
Hongli is using it and it works for him. You are not a big ruby player
or Hongli. So, test your stuff completely, then roll it out.
Please report back to me if you have problems with the patch and/or if
it works great for you so I can help some other folks out.
Thanks people. Always looking out for ya.
A1S9-4A: R.I.P. 6/21/08
Zed A. Shaw
More information about the Mongrel-users