BT

DoS Vulnerability in BigDecimal

by Werner Schuster on Jun 10, 2009 |

A Denial of Service (DoS) vulnerability has been found in all versions of Ruby 1.8.x:

Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.


The Riding Rails blog also points out the vulnerability:

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

The blog also points to NZKoz' bigdecimal-segfault-fix, a temporary fix for users who can't immediately upgrade their Ruby installation - although upgrading is the only proper solution since this fix can break applications.

All Ruby 1.8.x versions are affected - the first fixed versions of Ruby are Ruby 1.8.6-p369 (1.8.6 FTP Download Link) and Ruby 1.8.7-p173 (1.8.7 FTP Download Link).

JRuby also seems to be affected. Bug JRUBY-3744 tracks the issue and says:

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop.

The behavior is documented by this sample output.
A quick experiment showed that the solution used in the bigdecimal-segfault-fix works as a temporary fix in JRuby as well, since it just opens up the BigDecimal class and modifies it to throw an exception if too large numbers are used. Instead of keeping the JRuby thread busy, the code fails instantly; obviously this breaks behavior for code that needs numbers bigger than the default used in the fix.

Ruby 1.9.x users are not affected by the issue.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT