[Mongrel] Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs

Evan Weaver evan at cloudbur.st
Wed Jun 25 19:50:45 EDT 2008

Awesome! Thanks.


On Wed, Jun 25, 2008 at 10:01 AM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> Hey everyone,
> I know some of you have ran into the latest security fix causing
> SEGFAULTs in Rails applications.  This is apparently due to changes in
> the class duplication code in Ruby, but I don't have much more
> information.
> I do however have instructions for people who need these security fixes
> now.  The very nice and smart Hongli created a patch for his Ruby2EE
> project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with
> some modification.
> Here's how you can use it to patch p114.  Grab the Ruby 1.8.6 p114
> source, untar it, then cd into the source directory.  You have to be in
> the source directory when you start this process.  Not above it, not
> below it, right in it.  I show you this command as the first thing.
> ---------
> $ cd ruby-1.8.6-p114
> $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
> ...
> 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'
> saved [11939/11939]
> $ patch -p1 < r8ee-security-patch-20080623-2.txt
> patching file array.c
> patching file bignum.c
> patching file eval.c
> patching file intern.h
> patching file io.c
> patching file lib/webrick/httpservlet/filehandler.rb
> Reversed (or previously applied) patch detected!  Assume -R? [n] n
> Apply anyway? [n] n
> Skipping patch.
> 4 out of 4 hunks ignored -- saving rejects to file
> lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c
> patching file string.c
> ---------
> Notice how I had to tell it to skip changes to Webrick?  Nobody here
> runs webrick so that's just fine.  After this you can do the
> usual ./configure, make, make install and get your Ruby back.
> The process should be exactly the same, just you won't have to tell it
> skip the patch to webrick.
> Hongli collected patches from the FreeBSD crew, and then pulled them
> together with a security fix in eval.c he was given.  You can read the
> thread here:
> http://www.ruby-forum.com/topic/157034
> The md5sum that I have for this patchfile is:
> 74405e3f4a0c1e0484c303a33c0a6f0d  r8ee-security-patch-20080623-2.txt
> If your md5sum is different then I recommend contacting Hongli for
> help.  Consider giving him money for a short consulting contract since
> he obviously knows his shit.
> Alright, so don't go running out trying this shit without some
> testing.  Not testing is what got everyone in this mess.  All the
> bigger ruby players I know are doing this, and they say it works.
> Hongli is using it and it works for him.  You are not a big ruby player
> or Hongli.  So, test your stuff completely, then roll it out.
> Please report back to me if you have problems with the patch and/or if
> it works great for you so I can help some other folks out.
> Thanks people.  Always looking out for ya.
> --
> A1S9-4A:  R.I.P. 6/21/08
> Zed A. Shaw
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users

Evan Weaver

More information about the Mongrel-users mailing list