Announcing:

LessMoney Conference will be June 7th in Tampa! Register today and make us smile super big!

Patch your rubies

written by Steven on June 25, 2008

You probably have heard by now that there are some security issues with all the versions of Ruby and that you should upgrade your Ruby to get the fixes. The holes mainly involve buffer overruns and a particularly nasty vulnerability that only affects non-Unix based operating system. These effect Ruby versions 1.8.5, 1.8.6, 1.8.7 and 1.9.0. (Since I only use 1.8.6, that's all I'll talk about here.) The solution is to update 1.8.6 to version 1.8.6-230. Unfortunately p230 breaks rails and almost everything else running ruby. So what is a boy to do? Well Hong Li has come to the rescue. He has back ported the changes to p111 so the rest of us can apply his patch and secure our 1.8.6 machines at p111. The fix involves downloading Ruby 1.8.6-111, patching the source, compiling ruby and restarting your apps.

Here is how you do it:

  • Run the following commands: 
    > wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz
> tar zxvf ruby-1.8.6-p111.tar.gz
> cd ruby-1.8.6-p111
> wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt
> patch -i r8ee-security-patch-20080623.txt
> ./configure
> make
> sudo make install
  • Restart you mongrels and any other Ruby applications.

Notes:

  • While patching I would get the following: 
    
index 410cc6f..c8278b7 100644
|--- a/lib/webrick/httpservlet/filehandler.rb
|+++ b/lib/webrick/httpservlet/filehandler.rb
--------------------------
File to patch:

    * Just give it this path: lib/webrick/httpservlet/filehandler.rb
  • Sometimes the sudo make install would fail with an error: 
    
/bin/sh: ./miniruby: No such file or directory

    * Just run "make clean" and then ./configure, make, sudo make install again.

Thanks to Wilson Bilkovich for pointing me in the direction of Hong Li's patch.

Learn how LessEverything built their consultancy to over $1,000,000 annual revenue at LessMoney Conference, June 7th in Tampa Florida. Each attendee will get early access to our upcoming ebook as well.

5 Comments

Kiere El-Shafie
Kiere El-Shafie said on June 25, 2008

Finished… No errors… Thanks for the post! :)

Krister Collin
Krister Collin said on June 26, 2008

Steven, great writeup, it’s exactly what I needed.
I followed it to the letter and everything seems to have worked, but I’m curious, how do I know for sure? (I’m a bit of a newbie =P)

Thanks again!
Krister.

Steven Bristol
Steven Bristol said on June 26, 2008

@Krister,

How do you know there was even a problem to begin with? I don’t know how to exploit the vulnerabilities so I’m not sure how to test it. I only know because I read the patch file and saw what actually changed. Take a look.

Steve

Christian Seiler
Christian Seiler said on June 26, 2008

JRuby

Brennan
Brennan said on June 30, 2008

That Wilson guy is pretty awesome.. I’m glad to see he started blogging again after finding it untouched for nearly 6 months after meeting him in Feb., even if the new stuff isn’t quite as interesting.

Leave a Comment

About Steven
Steven Bristol has written code for the past 20 years. He like green vegetables and kittens, oh and butterflies too. He loves to throw ninja stars at his enemies.

You Should...

Follow Steven on Twitter
Friend Steven on Facebook
Popular Articles
Subscribe
Subscribe in a reader
Categories
LessEverything Copyright 2011 LessEverything.com
We don't like footers, they're kinda boring