BT

Facilitating the spread of knowledge and innovation in professional software development

Contribute
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Live September
InfoQ Live September

Learn how to apply containerized applications to improve application speed, reliability and deployment. Virtual Event on September 21th, 9AM EDT / 3PM CEST

 InfoQ Live October
InfoQ Live October

Learn how to apply Microservices and DevSecOps to improve application security & deployment speed. Virtual Event on Oct 19th, 9AM EDT/ 3PM CEST

 QCon Plus Online Software Development Conference
QCon Plus Online Software Development Conference

Turn advice from 64+ world-class professionals into immediate action items. Attend online on Nov 1-12.

InfoQ Homepage News Ruby 1.9.1 Update With Fix for Heap Overflow

What Does The JVM Garbage Collector Really Do? (Oct 21st Webinar) - Save Your Seat

Ruby 1.9.1 Update With Fix for Heap Overflow

This item in japanese

Bookmarks

Dec 10, 2009 less than one minute

A new Ruby 1.9.1 release, Ruby 1.9.1-p376 is out.

Everyone using Ruby 1.9.1 should consider upgrading to p376 because it contains a fix for a heap overflow vulnerability:

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

The bug is in rb_str_justify, more details about the bug are available. The vulnerability only exists on 1.9.1.

1.9.1-p376 also brings many bug fixes for other problems, details from the 1.9.1-p376 release notes:

* Irb extension commands had been broken. It was fixed.
* Ripper had not been able to parse some Ruby codes. It was fixed.
* Fixed build failures on AIX.
* Some bug fixes of Matrix.
* Can load gems which is installed in an user's home directory.
* Some method became returning a string with a correct encoding.

 Meanwhile, work on Ruby 1.9.2 is progressing (Changelog for the Ruby 1.9 trunk (Caution: large file)). Ruby 1.9.2 was delayed earlier this year to make sure it actually complies with RubySpec tests.

Rate this Article

Adoption
Style

This content is in the Security topic

Related Topics:

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • a good news for Ruby 1.9.1

    by bb Ghost,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    a good news for Ruby1.9.1!i will change it now!

    Back to top

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.