Chat with Us
Allan & Steve are the chubby founders of LessEverything. This is their blog, hear them rant, praise, give advice and talk about Just Stuff, Less Accounting, Lovd by Less, More Honey, Events, Less Memories, Code, Business, Design, Marketing
Subscribe via RSS

Patch your rubies

written by Steven Bristol on June 25th, 2008

You probably have heard by now that there are some security issues with all the versions of Ruby and that you should upgrade your Ruby to get the fixes. The holes mainly involve buffer overruns and a particularly nasty vulnerability that only affects non-Unix based operating system. These effect Ruby versions 1.8.5, 1.8.6, 1.8.7 and 1.9.0. (Since I only use 1.8.6, that’s all I’ll talk about here.) The solution is to update 1.8.6 to version 1.8.6-230. Unfortunately p230 breaks rails and almost everything else running ruby. So what is a boy to do? Well Hong Li has come to the rescue. He has back ported the changes to p111 so the rest of us can apply his patch and secure our 1.8.6 machines at p111. The fix involves downloading Ruby 1.8.6-111, patching the source, compiling ruby and restarting your apps.

Here is how you do it:

  • Run the following commands: 
    
> wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz
> tar zxvf ruby-1.8.6-p111.tar.gz
> cd ruby-1.8.6-p111
> wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt
> patch -i r8ee-security-patch-20080623.txt
> ./configure
> make
> sudo make install
  • Restart you mongrels and any other Ruby applications.

Notes:

  • While patching I would get the following: 
    
index 410cc6f..c8278b7 100644
|--- a/lib/webrick/httpservlet/filehandler.rb
|+++ b/lib/webrick/httpservlet/filehandler.rb
--------------------------
File to patch:

    * Just give it this path: lib/webrick/httpservlet/filehandler.rb
  • Sometimes the sudo make install would fail with an error: 
    
/bin/sh: ./miniruby: No such file or directory

    * Just run “make clean” and then ./configure, make, sudo make install again.

Thanks to Wilson Bilkovich for pointing me in the direction of Hong Li’s patch.

5 Responses to “Patch your rubies”

  1. Kiere El-Shafie June 25th, 2008

    Finished… No errors… Thanks for the post! :)

  2. Krister Collin June 26th, 2008

    Steven, great writeup, it’s exactly what I needed. I followed it to the letter and everything seems to have worked, but I’m curious, how do I know for sure? (I’m a bit of a newbie =P)

    Thanks again! Krister.

  3. Steven Bristol June 26th, 2008

    @Krister,

    How do you know there was even a problem to begin with? I don’t know how to exploit the vulnerabilities so I’m not sure how to test it. I only know because I read the patch file and saw what actually changed. Take a look.

    Steve

  4. Christian Seiler June 26th, 2008

    JRuby

  5. Brennan June 30th, 2008

    That Wilson guy is pretty awesome.. I’m glad to see he started blogging again after finding it untouched for nearly 6 months after meeting him in Feb., even if the new stuff isn’t quite as interesting.

Sorry, comments are closed for this article.

·