InfoQ

News

Security Vulnerabilities in Safe Level, WEBrick, Dl, DNS lookup

Posted by Werner Schuster on Aug 10, 2008

Community
Ruby
Topics
Security ,
Runtimes ,
Ruby on Rails
Tags
Rails ,
Vulnerabilities ,
Ruby on Rails
A list of new security vulnerabilities in Ruby libraries and systems is available.

One issue is a problem with the safe levels. By setting a safe level, it's possible disallow certain operations and define what data is defined as tainted. Tainted data in Ruby must be explicitly untainted before use. The discovered vulnerabilities are:
  • untrace_var is permitted at safe level 4
  • $PROGRAM_NAME may be modified at safe level 4
  • Insecure methods may be called at safe level 1-3
  • Syslog operations are permitted at safe level 4
See the list of vulnerabilities for code samples. A related issue in dl is related to tainted data. The dl library allows to load dynamic libraries and invoke their functions. The dl library doesn't check the taintedness of arguments passed to the calls, which could be used in exploits.

Another vulnerability discovered is in WEBrick, which is susceptible to Denial of Service (DoS) attacks. The problem was caused by the code responsible for splitting HTTP headers - for certain data the regex engine would fail to terminate.

The recently discovered DNS security problem also affected Ruby and was solved by randomizing DNS transaction IDs and source ports.

The solution to these issues is an upgrade to 1.8.6-p286, or 1.8.7-p71 for 1.8.x. For users of Ruby 1.9.x, apparently the currently advised solution is to get the current version in the SVN repository - all revisions after r18423 should be safe.

Finally, a word of caution: the recently discovered problems in the Ruby interpreter were resolved - but the first versions that contained the fixes caused compatibility problems. It pays to properly testdrive the upgrades before putting them into production.

Upgrading to 1.8.7 is also a solution that might cause problems. Using Rails 2.0 with Ruby 1.8.7 can cause problems due to a method ActiveSupport added to String. Ruby 1.8.7 added this method to String by default - yet with slightly different semantics (see InfoQ's article on Ruby's Open Classes for other similar issues). Rails 2.1 works with Ruby 1.8.7.

No comments

Watch Thread Reply

Educational Content

Rails in the Large: How Agility Allows Us to Build One Of the World's Biggest Rails Apps

Neal Ford shows what ThoughtWorks learned from scaling Rails development: infrastructure, testing, messaging, optimization, performance.

Stuart Halloway on Clojure and Functional Programming

Stuart Halloway discusses Clojure and functional programing on the JVM in depth, and touches on the uses of a number of other modern JVM languages including JRuby, Groovy, Scala and Haskell.

Orion Henry and Blake Mizerany on Heroku

Orion Henry and Blake Mizerany talk about the technology behind Heroku and the benefits of the new add-on system.

Security for the Services World

Chris Riley presents security issues threatening service based systems, examining security threats, presenting measures to reduce the risks, and mentioning available security frameworks.

Navigating The Rapids:Real-World Lessons in Adopting Agile

This talk investigates technical issues encountered when moving to an Agile process.

Codename "M": Language, Data, and Modeling, Oh My!

Don Box and Amanda Laucher present “M”, a declarative language for building data models, domain models or external DSLs. Don Box's demos show some of M’s features and latest changes of the language.

SOA Manifesto - 4 Months After

It is four months since the SOA manifesto was announced; InfoQ interviewed the original author’s to get insight into the motivations and the process behind the initiative.

Memory Barriers and JVM Concurrency

This article explains the impact memory barriers, or fences, have on the determinism of multi-threaded programs.