On Wed, Jun 25, 2008 at 7:01 PM, Zed A. Shaw <[EMAIL PROTECTED]> wrote: > Hey everyone, > > I know some of you have ran into the latest security fix causing > SEGFAULTs in Rails applications. This is apparently due to changes in > the class duplication code in Ruby, but I don't have much more > information. > > I do however have instructions for people who need these security fixes > now. The very nice and smart Hongli created a patch for his Ruby2EE > project that also works for Ruby 1.8.6-p111 or Ruby 1.8.6-p114 with > some modification. > > PATCHING P114 > > Here's how you can use it to patch p114. Grab the Ruby 1.8.6 p114 > source, untar it, then cd into the source directory. You have to be in > the source directory when you start this process. Not above it, not > below it, right in it. I show you this command as the first thing. > > --------- > $ cd ruby-1.8.6-p114 > $ wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt > ... > 2008-06-25 12:46:39 (63.1 KB/s) - `r8ee-security-patch-20080623-2.txt' > saved [11939/11939] > > $ patch -p1 < r8ee-security-patch-20080623-2.txt > patching file array.c > patching file bignum.c > patching file eval.c > patching file intern.h > patching file io.c > patching file lib/webrick/httpservlet/filehandler.rb > Reversed (or previously applied) patch detected! Assume -R? [n] n > Apply anyway? [n] n > Skipping patch. > 4 out of 4 hunks ignored -- saving rejects to file > lib/webrick/httpservlet/filehandler.rb.rej patching file sprintf.c > patching file string.c > --------- > > Notice how I had to tell it to skip changes to Webrick? Nobody here > runs webrick so that's just fine. After this you can do the > usual ./configure, make, make install and get your Ruby back. > > PATCHING P111 > > The process should be exactly the same, just you won't have to tell it > skip the patch to webrick. > > WHAT's IN THIS PATCH? > > Hongli collected patches from the FreeBSD crew, and then pulled them > together with a security fix in eval.c he was given. You can read the > thread here: > > http://www.ruby-forum.com/topic/157034 > > The md5sum that I have for this patchfile is: > > 74405e3f4a0c1e0484c303a33c0a6f0d r8ee-security-patch-20080623-2.txt > > If your md5sum is different then I recommend contacting Hongli for > help. Consider giving him money for a short consulting contract since > he obviously knows his shit. > > THE CATCH: NOT TESTED BY ME > > Alright, so don't go running out trying this shit without some > testing. Not testing is what got everyone in this mess. All the > bigger ruby players I know are doing this, and they say it works. > Hongli is using it and it works for him. You are not a big ruby player > or Hongli. So, test your stuff completely, then roll it out. > > Please report back to me if you have problems with the patch and/or if > it works great for you so I can help some other folks out. > > Thanks people. Always looking out for ya. >
Thanks Zed, we are merging those with our own patches for Ruby One-Click Installer (MinGW version). Right now: 1564 tests, 14742 assertions, 6 failures, 50 errors I need to take a look at the tests patches too, since before I got only 3 failures :-D -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
