Ruby BigDecimal denial of service 10 Jun 09
From ruby-lang.org:
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
We’re currently building new Ruby packages for Brightbox customers with the relevant patches to fix this vulnerability. We’ll keep this post updated with the latest news.
UPDATE, 15:46 BST: New Ruby EE packages are now available in our Ruby Enterprise Ubuntu repository. We’re working on updates for the standard Ubuntu version of Ruby.
You can confirm that the update fixes the bug with the following command:
ruby -e 'require "bigdecimal";BigDecimal("E99999999").to_s("F");puts "OK"'
If your version of Ruby is vulnerable, you’ll get a “Segmentation fault” error message, otherwise it prints “OK”.
UPDATE: Official Ubuntu packages to fix this vulnerability are now available. The Hardy package is libruby1.8 version 1.8.6.111-2ubuntu1.3 and the Dapper package is libruby1.8 version 1.8.4-1ubuntu1.7. The packages will be available for install after a normal apt-get update.
1 year ago Sam Stokes said:
Hi John, thanks for the timely update. Will you also be building new Ruby EE packages with the fix?
1 year ago John Leach said:
Hi Sam, yes, I realise that wasn’t clear. We’ll have updated Ruby EE packages too.