Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Ruby 1.9.1 Update With Fix for Heap Overflow

Ruby 1.9.1 Update With Fix for Heap Overflow

This item in japanese

A new Ruby 1.9.1 release, Ruby 1.9.1-p376 is out.

Everyone using Ruby 1.9.1 should consider upgrading to p376 because it contains a fix for a heap overflow vulnerability:

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.

The bug is in rb_str_justify, more details about the bug are available. The vulnerability only exists on 1.9.1.

1.9.1-p376 also brings many bug fixes for other problems, details from the 1.9.1-p376 release notes:

* Irb extension commands had been broken. It was fixed.
* Ripper had not been able to parse some Ruby codes. It was fixed.
* Fixed build failures on AIX.
* Some bug fixes of Matrix.
* Can load gems which is installed in an user's home directory.
* Some method became returning a string with a correct encoding.

 Meanwhile, work on Ruby 1.9.2 is progressing (Changelog for the Ruby 1.9 trunk (Caution: large file)). Ruby 1.9.2 was delayed earlier this year to make sure it actually complies with RubySpec tests.

Rate this Article