bigdecimal-segfault-fix 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +14 -0
- data/README.textile +39 -0
- data/bigdecimal-segfault-fix.gemspec +16 -0
- data/example.rb +9 -0
- data/lib/bigdecimal-segfault-fix.rb +30 -0
- metadata +59 -0
data/LICENSE
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
Copyright (c) 2009 Michael Koziarski <michael@koziarski.com>
|
2
|
+
|
3
|
+
Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
purpose with or without fee is hereby granted, provided that the above
|
5
|
+
copyright notice and this permission notice appear in all copies.
|
6
|
+
|
7
|
+
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
10
|
+
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
12
|
+
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
13
|
+
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
14
|
+
|
data/README.textile
ADDED
@@ -0,0 +1,39 @@
|
|
1
|
+
h1. BigDecimal Segfault Fix
|
2
|
+
|
3
|
+
There is a segfault bug in ruby's big decimal library which can be triggered by users providing known-bad values. If you wish to test whether your application is secure run +example.rb+. This script should exit normally, not segfault.
|
4
|
+
|
5
|
+
The workaround has negative side-effects. Specifically it prevents you from using BigDecimal to deal with large numbers (more than 255 digits) or from providing the numbers in scientific notation (e.g. "5E6" for 5000000). If you require those features you must upgrade to a patched ruby.
|
6
|
+
|
7
|
+
You are strongly advised to upgrade ruby following "the instructions on the ruby site":http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/. This work around is only intended for temporary use.
|
8
|
+
|
9
|
+
h2. Affected ruby versions:
|
10
|
+
|
11
|
+
h3. 1.8 series
|
12
|
+
|
13
|
+
* 1.8.6-p368 and *all* prior versions
|
14
|
+
* 1.8.7-p160 and *all* prior versions
|
15
|
+
|
16
|
+
h3. 1.9 series
|
17
|
+
* All 1.9.1 versions are safe
|
18
|
+
|
19
|
+
h2. Installation Instructions
|
20
|
+
|
21
|
+
h3. Gem installation
|
22
|
+
|
23
|
+
This fix is available as a gem from github. To install it you should run the following commands:
|
24
|
+
|
25
|
+
<pre>
|
26
|
+
$ gem sources -a http://gems.github.com
|
27
|
+
$ sudo gem install NZKoz-bigdecimal-segfault-fix
|
28
|
+
</pre>
|
29
|
+
|
30
|
+
Then in your code add:
|
31
|
+
|
32
|
+
<pre>
|
33
|
+
gem 'NZKoz-bigdecimal-segfault-fix'
|
34
|
+
require 'bigdecimal-segfault-fix'
|
35
|
+
</pre>
|
36
|
+
|
37
|
+
h3. Rails Initializer Installation
|
38
|
+
|
39
|
+
To apply this fix to a Rails Application you can simply copy the +bigdecimal-segfault-fix.rb+ file into your config/initializers directory.
|
@@ -0,0 +1,16 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = "bigdecimal-segfault-fix"
|
3
|
+
s.version = "1.0.1"
|
4
|
+
s.date = "2009-06-03"
|
5
|
+
s.summary = "Prevents potentitial DoS attacks to BigDecimal"
|
6
|
+
s.email = "michael@koziarski.com"
|
7
|
+
s.homepage = "http://github.com/NZKoz/rexml-expansion-fix"
|
8
|
+
s.description = "Prevents users from exploiting the BigDecimal bugs and causing your application to segfault."
|
9
|
+
s.has_rdoc = false
|
10
|
+
s.authors = ["Michael Koziarski"]
|
11
|
+
s.files = ["README.textile",
|
12
|
+
"LICENSE",
|
13
|
+
"example.rb",
|
14
|
+
"bigdecimal-segfault-fix.gemspec",
|
15
|
+
"lib/bigdecimal-segfault-fix.rb"]
|
16
|
+
end
|
data/example.rb
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
# Copyright (c) 2009 Michael Koziarski <michael@koziarski.com>
|
2
|
+
#
|
3
|
+
# Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
# purpose with or without fee is hereby granted, provided that the above
|
5
|
+
# copyright notice and this permission notice appear in all copies.
|
6
|
+
#
|
7
|
+
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
10
|
+
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
12
|
+
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
13
|
+
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
14
|
+
|
15
|
+
require 'bigdecimal'
|
16
|
+
|
17
|
+
alias BigDecimalUnsafe BigDecimal
|
18
|
+
|
19
|
+
|
20
|
+
# This fixes CVE-2009-1904 however it removes legitimate functionality that your
|
21
|
+
# application may depend on. You are *strongly* advised to upgrade your ruby
|
22
|
+
# rather than relying on this fix for an extended period of time.
|
23
|
+
|
24
|
+
def BigDecimal(initial, digits=0)
|
25
|
+
if initial.size > 255 || initial =~ /e/i
|
26
|
+
raise "Invalid big Decimal Value"
|
27
|
+
end
|
28
|
+
BigDecimalUnsafe(initial, digits)
|
29
|
+
end
|
30
|
+
|
metadata
ADDED
@@ -0,0 +1,59 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: bigdecimal-segfault-fix
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Michael Koziarski
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2009-06-03 00:00:00 +02:00
|
13
|
+
default_executable:
|
14
|
+
dependencies: []
|
15
|
+
|
16
|
+
description: Prevents users from exploiting the BigDecimal bugs and causing your application to segfault.
|
17
|
+
email: michael@koziarski.com
|
18
|
+
executables: []
|
19
|
+
|
20
|
+
extensions: []
|
21
|
+
|
22
|
+
extra_rdoc_files: []
|
23
|
+
|
24
|
+
files:
|
25
|
+
- README.textile
|
26
|
+
- LICENSE
|
27
|
+
- example.rb
|
28
|
+
- bigdecimal-segfault-fix.gemspec
|
29
|
+
- lib/bigdecimal-segfault-fix.rb
|
30
|
+
has_rdoc: true
|
31
|
+
homepage: http://github.com/NZKoz/rexml-expansion-fix
|
32
|
+
licenses: []
|
33
|
+
|
34
|
+
post_install_message:
|
35
|
+
rdoc_options: []
|
36
|
+
|
37
|
+
require_paths:
|
38
|
+
- lib
|
39
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: "0"
|
44
|
+
version:
|
45
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
46
|
+
requirements:
|
47
|
+
- - ">="
|
48
|
+
- !ruby/object:Gem::Version
|
49
|
+
version: "0"
|
50
|
+
version:
|
51
|
+
requirements: []
|
52
|
+
|
53
|
+
rubyforge_project:
|
54
|
+
rubygems_version: 1.3.5
|
55
|
+
signing_key:
|
56
|
+
specification_version: 3
|
57
|
+
summary: Prevents potentitial DoS attacks to BigDecimal
|
58
|
+
test_files: []
|
59
|
+
|