Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Security Holes In Ruby 1.8, 1.9

Posted by kdawson on from the that-ain't-good dept.

ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."

6 of 148 comments (clear)

  1. Re:The real story by Anonymous Coward · · Score: 5, Funny

    sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)

  2. Re:message to staff at Apple HQ by LunarCrisis · · Score: 5, Insightful

    The bugs would have been there even if Apple hadn't found them. Why not thank them for improving the quality of Ruby?

    --
    Mr. Period: Nine is the one that's right by ten!
    Nine: One day I will kill him. Then, I will be Ten.
  3. Re:The real story by CrazedWalrus · · Score: 5, Insightful

    How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I didn't RTFA, but presumably Drew Yao, a member of the security team, was security auditing the code. This activity would have been much harder to impossible with closed source code.

    I'd say the system worked as advertised here.

  4. Re:Confirmation by /ASCII · · Score: 5, Funny

    No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.

    --
    Try out fish, the friendly interactive shell.
  5. Re:The real story by Anonymous Coward · · Score: 5, Insightful

    How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I'd say the system worked as advertised here.
    Slight correction -- it's a function of how many qualified and honest people are looking at the code. Now, the skilled but dishonest Russian hacking cartels had a financial incentive to look through the code for security problems; comparatively few security researchers had financial incentives to do so. Are you really sure this is the first time this bug has been discovered? Or just the first time by nice cooperative people who don't exploit it and keep it secret?
  6. Funny how open source always wins... by Anonymous Coward · · Score: 5, Insightful

    Case 1: the code has no bugs: "many eyes make for shallow bugs!" everyone chants.

    Case 2: the code has bugs which get reported and fixed. "See, this would have taken much longer if the source was closed!" This claim is impossible to verify objectively but is stated as a fact, regardless of how trivial the bugs are.