BT

Your opinion matters! Please fill in the InfoQ Survey!

DoS Vulnerability in BigDecimal

| by Werner Schuster Follow 4 Followers on Jun 10, 2009. Estimated reading time: 1 minute |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

A Denial of Service (DoS) vulnerability has been found in all versions of Ruby 1.8.x:

Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.


The Riding Rails blog also points out the vulnerability:

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

The blog also points to NZKoz' bigdecimal-segfault-fix, a temporary fix for users who can't immediately upgrade their Ruby installation - although upgrading is the only proper solution since this fix can break applications.

All Ruby 1.8.x versions are affected - the first fixed versions of Ruby are Ruby 1.8.6-p369 (1.8.6 FTP Download Link) and Ruby 1.8.7-p173 (1.8.7 FTP Download Link).

JRuby also seems to be affected. Bug JRUBY-3744 tracks the issue and says:

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop.

The behavior is documented by this sample output.
A quick experiment showed that the solution used in the bigdecimal-segfault-fix works as a temporary fix in JRuby as well, since it just opens up the BigDecimal class and modifies it to throw an exception if too large numbers are used. Instead of keeping the JRuby thread busy, the code fails instantly; obviously this breaks behavior for code that needs numbers bigger than the default used in the fix.

Ruby 1.9.x users are not affected by the issue.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT