[Mongrel] Patching Ruby 1.8.6 p11X To Avoid SEGFAULTs

Luis Lavena luislavena at gmail.com
Wed Jun 25 20:02:30 EDT 2008

On Wed, Jun 25, 2008 at 7:01 PM, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> Hey everyone,
> I know some of you have ran into the latest security fix causing
> SEGFAULTs in Rails applications.  This is apparently due to changes in
> the class duplication code in Ruby, but I don't have much more
> information.
> I do however have instructions for people who need these security fixes
> now.  The very nice and smart Hongli created a patch for his Ruby2EE
> project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with
> some modification.
> Here's how you can use it to patch p114.  Grab the Ruby 1.8.6 p114
> source, untar it, then cd into the source directory.  You have to be in
> the source directory when you start this process.  Not above it, not
> below it, right in it.  I show you this command as the first thing.
> ---------
> $ cd ruby-1.8.6-p114
> $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
> ...
> 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt'
> saved [11939/11939]
> $ patch -p1 < r8ee-security-patch-20080623-2.txt
> patching file array.c
> patching file bignum.c
> patching file eval.c
> patching file intern.h
> patching file io.c
> patching file lib/webrick/httpservlet/filehandler.rb
> Reversed (or previously applied) patch detected!  Assume -R? [n] n
> Apply anyway? [n] n
> Skipping patch.
> 4 out of 4 hunks ignored -- saving rejects to file
> lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c
> patching file string.c
> ---------
> Notice how I had to tell it to skip changes to Webrick?  Nobody here
> runs webrick so that's just fine.  After this you can do the
> usual ./configure, make, make install and get your Ruby back.
> The process should be exactly the same, just you won't have to tell it
> skip the patch to webrick.
> Hongli collected patches from the FreeBSD crew, and then pulled them
> together with a security fix in eval.c he was given.  You can read the
> thread here:
> http://www.ruby-forum.com/topic/157034
> The md5sum that I have for this patchfile is:
> 74405e3f4a0c1e0484c303a33c0a6f0d  r8ee-security-patch-20080623-2.txt
> If your md5sum is different then I recommend contacting Hongli for
> help.  Consider giving him money for a short consulting contract since
> he obviously knows his shit.
> Alright, so don't go running out trying this shit without some
> testing.  Not testing is what got everyone in this mess.  All the
> bigger ruby players I know are doing this, and they say it works.
> Hongli is using it and it works for him.  You are not a big ruby player
> or Hongli.  So, test your stuff completely, then roll it out.
> Please report back to me if you have problems with the patch and/or if
> it works great for you so I can help some other folks out.
> Thanks people.  Always looking out for ya.

Thanks Zed, we are merging those with our own patches for Ruby
One-Click Installer (MinGW version).

Right now:
1564 tests, 14742 assertions, 6 failures, 50 errors

I need to take a look at the tests patches too, since before I got
only 3 failures :-D

Luis Lavena
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams

More information about the Mongrel-users mailing list