Developers have patched five vulnerabilities in the open-source programming language Ruby that could provide a trivial way for attackers to exploit a variety of web applications. The vulnerabilities affect versions 1.8 and 1.9 and could lead to remote execution of malicious code or denial of service, this advisory warns. The …
"open source language" doesn't quite compute here.
Is it an open source language compiler (/interpreter) that you refer to, or a publicly documented language ?
I suspect the first, as vulnerabilities match better to actual software than language features, but you never know :) (Actually i'm not really sure the latter makes even sense here since, isn't every programming language "exploitable" in at least a thousand ways, thus it were not a story...)
If this were ASP.NET.... ;-)
Yes, every language has errors in it that make it exploitable.
Here, the exploits can be carried out with crafted user input from applications developed with the language.
I've nothing against Ruby on Rails, but I'm sure that were this a similar issue with ASP.NET the pitchforks would already be being sharpened and the brands lit for an ol' style mob storming of the barricades.... :-)
Rails remains a bad joke
Here's another (welcome) nail in the coffin of the only framework really "worthy" of Web 2.0. And you know what I mean by worthy. It doesn't scale, its developers are all primadonnas who don't understand what "scale" even means, there's no formal language spec, and now this lousy bit of implementation right in the heart of Ruby. I wish the JAVA ticker symbol actually represented Java, cause I'd be buying some right now.
The details are under some kind of embargo at the moment, so it's impossible
to do anything about the problem other than install their patches...
Philosophy aside however, the patches are to the interpreter so I guess that's
where the problem lies. Your point about the spec is facetious since Ruby is
specified by its implementation rather than having a laid down formal grammar.
"The flaws were discovered by Drew Yao of Apple Product Security."
Apple has a product security department????
But Java's so fat and bloated man, and Ruby's like cool and stuff
One of the major concerns I had about Rails was the utter lack of security support at the framework level. It wouldn't surprise me if most apps out there have tons of holes simply because there is no standard way of securing them. But vulnerabilities at the language level - ouch!
"specified by its implementation rather than having a laid down formal grammar"
I think that was rather his point. Yes, that does indeed mean that he seriously dislikes the design philosophy Ruby is based on.
From Fedora's SRPMS dir you can download ruby-184.108.40.206-1.fc10.src.rpm, and the following comment is in ruby.spec:
* Tue Jun 24 2008 Akira TAGOH <firstname.lastname@example.org> - 220.127.116.11-1
- New upstream release.
- Security fixes. (#452295)
- CVE-2008-1891: WEBrick CGI source disclosure.
- CVE-2008-2662: Integer overflow in rb_str_buf_append().
- CVE-2008-2663: Integer overflow in rb_ary_store().
- CVE-2008-2664: Unsafe use of alloca in rb_str_format().
- CVE-2008-2725: Integer overflow in rb_ary_splice().
- CVE-2008-2726: Integer overflow in rb_ary_splice().
- ruby-18.104.22.168-CVE-2007-5162.patch: removed.
- Build ruby-mode package for all archtectures.
You can also read http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_230/ChangeLog - search for "CVE" and "overflow".
"open source language"
This doesn't have to mean "the language is licensed under an open source license" - he could simply mean a language commonly employed in open-source projects rather than closed source apps.
@chuBb - too funny =D
Re: "Rails remains a bad joke" and "But Java's so fat and .. "
AC: Have you ever used it? I bet you are a Java programmer.
What are you talking about? Where is your evidence??
Or are you just anti because it's suddenly become cool to be anti?
@ Francis Fish "Have you ever used it?"
Yes, Frank, I've used Ruby. If I remember right, my last job was CTO at a company whose entire product is built on Rails. So, you lose the bet. You can pay up by giving DHH a handjob for me.
"Ruby is specified by its implementation"
nnyeees... We're making it up as we go along?
Cure worse than the disease?
Just to make life interesting - the "fixed" 1.8.6p230 introduces bugs which cause Rails 2.0.2 to crash, either with errors like "wrong argument type FalseClass (expected Proc)" or good old-fashioned segfaults.
Ruby on Ruby
You know, if the Ruby interpreter had been re-implemented in Ruby, there wouldn't be a problem...
Ruby is "specified by its implementation"?
Uhh, then why did they fix this bug?