InfoQ

News

Security Vulnerabilities in Safe Level, WEBrick, Dl, DNS lookup

Posted by Werner Schuster on Aug 10, 2008

Community
Ruby
Topics
Runtimes ,
Security ,
Ruby on Rails
Tags
Ruby on Rails ,
Vulnerabilities ,
Rails
A list of new security vulnerabilities in Ruby libraries and systems is available.

One issue is a problem with the safe levels. By setting a safe level, it's possible disallow certain operations and define what data is defined as tainted. Tainted data in Ruby must be explicitly untainted before use. The discovered vulnerabilities are:
  • untrace_var is permitted at safe level 4
  • $PROGRAM_NAME may be modified at safe level 4
  • Insecure methods may be called at safe level 1-3
  • Syslog operations are permitted at safe level 4
See the list of vulnerabilities for code samples. A related issue in dl is related to tainted data. The dl library allows to load dynamic libraries and invoke their functions. The dl library doesn't check the taintedness of arguments passed to the calls, which could be used in exploits.

Another vulnerability discovered is in WEBrick, which is susceptible to Denial of Service (DoS) attacks. The problem was caused by the code responsible for splitting HTTP headers - for certain data the regex engine would fail to terminate.

The recently discovered DNS security problem also affected Ruby and was solved by randomizing DNS transaction IDs and source ports.

The solution to these issues is an upgrade to 1.8.6-p286, or 1.8.7-p71 for 1.8.x. For users of Ruby 1.9.x, apparently the currently advised solution is to get the current version in the SVN repository - all revisions after r18423 should be safe.

Finally, a word of caution: the recently discovered problems in the Ruby interpreter were resolved - but the first versions that contained the fixes caused compatibility problems. It pays to properly testdrive the upgrades before putting them into production.

Upgrading to 1.8.7 is also a solution that might cause problems. Using Rails 2.0 with Ruby 1.8.7 can cause problems due to a method ActiveSupport added to String. Ruby 1.8.7 added this method to String by default - yet with slightly different semantics (see InfoQ's article on Ruby's Open Classes for other similar issues). Rails 2.1 works with Ruby 1.8.7.

RelatedVendorContent

Unix, Linux Uptime & Reliability Increase While Patch Management Woes Plague Windows (Yankee Group)

Architectures Behind Facebook, Skype, Sky.com, Bwin, League of Legends @ QConLondon

Technical Debt and Design Death

Agile Transformation Strategy

The 5 Mandates of Software Development Teams - Presto Manifesto

No comments

Watch Thread Reply

Educational Content

Brian Marick on 4 Challenges and 5 Guiding Values of Agile Software Development

Brian Marick takes us through a quick tour of the most important values and challenges to adopting Agile successfully (they aren't the typical challenges and values we hear in the community).

  •  Feb 09, 2010,
  •  

Are You a Software Architect?

The line between development and architecture is tricky. Does it exist at all? Is an ivory tower actually needed? There's a balance in the middle, but how do you move from developer to architect?

Agile – A Way of Life and Pragmatic Use of Authority

The word 'authority' sometimes produces an allergic response in hard-line agilists. Freedom and authority – both are bad if misused and both are good if used in right spirit for a noble cause.

Getting Started with Grails, Second Edition

"Getting Started with Grails" brings you up to speed on this modern web framework. Companies as varied as LinkedIn, Wired, and Taco Bell are all using Grails. Are you ready to get started as well?

  •  Feb 06, 2010,

Using ITIL V3 as a Foundation for SOA Governance

Those familiar with only ITIL V2 often scoff at the thought that ITIL could serve as a governance framework for SOA. With ITIL V3, the focus of the framework shifted towards service-orientation.

  •  Feb 05, 2010,
  •  

Adrian Colyer on AspectJ, tc Server and dm Server

SpringSource CTO Adrian Colyer discusses AspectJ, SpringSource's dm Server and tc Server products, OSGi and Scrum.

Adam Wiggins on Heroku

Heroku's Adam Wiggins talks about Rails, Background Jobs, Add-Ons, Ruby, and how Heroku manages to work around Ruby's inefficiencies using Erlang and other languages.

  •  Feb 04, 2010,
  •  

SOA as an Architectural Pattern: Best Practices in Software Architecture

For Grady Booch the foundation of a good architecture is patterns, SOA being just one of many patterns. In this Second Life presentation, Booch attempts to bring more clarity on what architecture is.

  •  Feb 04, 2010,
  •