[Mongrel] Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs
evan at cloudbur.st
Wed Jun 25 19:50:45 EDT 2008
On Wed, Jun 25, 2008 at 10:01 AM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> Hey everyone,
> I know some of you have ran into the latest security fix causing
> SEGFAULTs in Rails applications. This is apparently due to changes in
> the class duplication code in Ruby, but I don't have much more
> I do however have instructions for people who need these security fixes
> now. The very nice and smart Hongli created a patch for his Ruby2EE
> project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with
> some modification.
> PATCHING P114
> Here's how you can use it to patch p114. Grab the Ruby 1.8.6 p114
> source, untar it, then cd into the source directory. You have to be in
> the source directory when you start this process. Not above it, not
> below it, right in it. I show you this command as the first thing.
> $ cd ruby-1.8.6-p114
> $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
> 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'
> saved [11939/11939]
> $ patch -p1 < r8ee-security-patch-20080623-2.txt
> patching file array.c
> patching file bignum.c
> patching file eval.c
> patching file intern.h
> patching file io.c
> patching file lib/webrick/httpservlet/filehandler.rb
> Reversed (or previously applied) patch detected! Assume -R? [n] n
> Apply anyway? [n] n
> Skipping patch.
> 4 out of 4 hunks ignored -- saving rejects to file
> lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c
> patching file string.c
> Notice how I had to tell it to skip changes to Webrick? Nobody here
> runs webrick so that's just fine. After this you can do the
> usual ./configure, make, make install and get your Ruby back.
> PATCHING P111
> The process should be exactly the same, just you won't have to tell it
> skip the patch to webrick.
> WHAT's IN THIS PATCH?
> Hongli collected patches from the FreeBSD crew, and then pulled them
> together with a security fix in eval.c he was given. You can read the
> thread here:
> The md5sum that I have for this patchfile is:
> 74405e3f4a0c1e0484c303a33c0a6f0d r8ee-security-patch-20080623-2.txt
> If your md5sum is different then I recommend contacting Hongli for
> help. Consider giving him money for a short consulting contract since
> he obviously knows his shit.
> THE CATCH: NOT TESTED BY ME
> Alright, so don't go running out trying this shit without some
> testing. Not testing is what got everyone in this mess. All the
> bigger ruby players I know are doing this, and they say it works.
> Hongli is using it and it works for him. You are not a big ruby player
> or Hongli. So, test your stuff completely, then roll it out.
> Please report back to me if you have problems with the patch and/or if
> it works great for you so I can help some other folks out.
> Thanks people. Always looking out for ya.
> A1S9-4A: R.I.P. 6/21/08
> Zed A. Shaw
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
More information about the Mongrel-users