[Mongrel] Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs

Zed A. Shaw zedshaw at zedshaw.com
Wed Jun 25 13:01:21 EDT 2008


Hey everyone,

I know some of you have ran into the latest security fix causing
SEGFAULTs in Rails applications.  This is apparently due to changes in
the class duplication code in Ruby, but I don't have much more
information.

I do however have instructions for people who need these security fixes
now.  The very nice and smart Hongli created a patch for his Ruby2EE
project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with
some modification.

PATCHING P114

Here's how you can use it to patch p114.  Grab the Ruby 1.8.6 p114
source, untar it, then cd into the source directory.  You have to be in
the source directory when you start this process.  Not above it, not
below it, right in it.  I show you this command as the first thing.

---------
$ cd ruby-1.8.6-p114
$ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
...
2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'
saved [11939/11939]
 
$ patch -p1 < r8ee-security-patch-20080623-2.txt 
patching file array.c
patching file bignum.c
patching file eval.c
patching file intern.h
patching file io.c
patching file lib/webrick/httpservlet/filehandler.rb
Reversed (or previously applied) patch detected!  Assume -R? [n] n
Apply anyway? [n] n
Skipping patch.
4 out of 4 hunks ignored -- saving rejects to file
lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c
patching file string.c
---------

Notice how I had to tell it to skip changes to Webrick?  Nobody here
runs webrick so that's just fine.  After this you can do the
usual ./configure, make, make install and get your Ruby back.

PATCHING P111

The process should be exactly the same, just you won't have to tell it
skip the patch to webrick.

WHAT's IN THIS PATCH?

Hongli collected patches from the FreeBSD crew, and then pulled them
together with a security fix in eval.c he was given.  You can read the
thread here:

http://www.ruby-forum.com/topic/157034

The md5sum that I have for this patchfile is:

74405e3f4a0c1e0484c303a33c0a6f0d  r8ee-security-patch-20080623-2.txt

If your md5sum is different then I recommend contacting Hongli for
help.  Consider giving him money for a short consulting contract since
he obviously knows his shit.

THE CATCH: NOT TESTED BY ME

Alright, so don't go running out trying this shit without some
testing.  Not testing is what got everyone in this mess.  All the
bigger ruby players I know are doing this, and they say it works.
Hongli is using it and it works for him.  You are not a big ruby player
or Hongli.  So, test your stuff completely, then roll it out.

Please report back to me if you have problems with the patch and/or if
it works great for you so I can help some other folks out.

Thanks people.  Always looking out for ya.

-- 
A1S9-4A:  R.I.P. 6/21/08
Zed A. Shaw


More information about the Mongrel-users mailing list