Provides a quick workaround for the segfault bug in Ruby (CVE-2009-1904)
Ruby
Latest commit 795c3a8 Jun 10, 2009 @jnewland jnewland committed with fix gemspec, bump version
Signed-off-by: Michael Koziarski <michael@koziarski.com>
Failed to load latest commit information.
lib
.gitignore Initial commit Jun 9, 2009
LICENSE Initial commit Jun 8, 2009
README.textile finish the sentence Jun 9, 2009
bigdecimal-segfault-fix.gemspec fix gemspec, bump version Jun 10, 2009
example.rb Initial commit Jun 8, 2009

README.textile

BigDecimal Segfault Fix

There is a segfault bug in ruby’s big decimal library which can be triggered by users providing known-bad values. If you wish to test whether your application is secure run example.rb. This script should exit normally, not segfault.

The workaround has negative side-effects. Specifically it prevents you from using BigDecimal to deal with large numbers (more than 255 digits) or from providing the numbers in scientific notation (e.g. “5E6” for 5000000). If you require those features you must upgrade to a patched ruby.

You are strongly advised to upgrade ruby following the instructions on the ruby site. This work around is only intended for temporary use.

Affected ruby versions:

1.8 series

  • 1.8.6-p368 and all prior versions
  • 1.8.7-p160 and all prior versions

1.9 series

  • All 1.9.1 versions are safe

Installation Instructions

Gem installation

This fix is available as a gem from github. To install it you should run the following commands:

  $ gem sources -a http://gems.github.com 
  $ sudo gem install NZKoz-bigdecimal-segfault-fix

Then in your code add:

  gem 'NZKoz-bigdecimal-segfault-fix'
  require 'bigdecimal-segfault-fix'

Rails Initializer Installation

To apply this fix to a Rails Application you can simply copy the bigdecimal-segfault-fix.rb file into your config/initializers directory.