Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Initial commit

  • Loading branch information...
commit 4f9e1dfa82589dbe4277209c4356586543dbcec4 0 parents
@NZKoz authored
1  .gitignore
@@ -0,0 +1 @@
+*gem
14 LICENSE
@@ -0,0 +1,14 @@
+Copyright (c) 2009 Michael Koziarski <michael@koziarski.com>
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
14 README.textile
@@ -0,0 +1,14 @@
+h1. BigDecimal Segfault Fix
+
+There is a segfault bug in ruby's big decimal library which can be triggered by users providing known-bad values. If you wish to test whether your application is secure run +example.rb+. This script should exit normally, not segfault.
+
+The workaround has some negative side-effects. Specifically it prevents you from using BigDecimal to deal with large numbers (more than 255 digits) or from providing the numbers in scientific notation (e.g. "5E6" for 5000000). If you require those features you must upgrade to a patched ruby.
+
+h2. Affected ruby versions:
+
+1.8 series
+ * 1.8.6-p368 and *all* prior versions
+ * 1.8.7-p160 and *all* prior versions
+
+1.9 series
+ * All 1.9.1 versions are safe
16 bigdecimal-segfault-fix.gemspec
@@ -0,0 +1,16 @@
+Gem::Specification.new do |s|
+ s.name = "bigdecimal-segfault-fix"
+ s.version = "1.0.0"
+ s.date = "2009-06-03"
+ s.summary = "Prevents potentitial DoS attacks to BigDecimal"
+ s.email = "michael@koziarski.com"
+ s.homepage = "http://github.com/NZKoz/rexml-expansion-fix"
+ s.description = "Prevents users from exploiting the BigDecimal bugs and causing your application to segfault."
+ s.has_rdoc = false
+ s.authors = ["Michael Koziarski"]
+ s.files = ["README.textile",
+ "LICENSE",
+ "example.xml",
+ "bigdecimal-segfault-fix.gemspec",
+ "lib/bigdecimal-segfault-fix.rb"]
+end
9 example.rb
@@ -0,0 +1,9 @@
+require 'bigdecimal'
+
+["9E69999999", "1" * 10_000_000].each do |value|
+ begin
+ puts BigDecimal(value).to_s("F")
+ rescue => e
+ puts "Received an exception, this is fine: #{e.inspect}"
+ end
+end
30 lib/bigdecimal-segfault-fix.rb
@@ -0,0 +1,30 @@
+# Copyright (c) 2009 Michael Koziarski <michael@koziarski.com>
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+require 'bigdecimal'
+
+alias BigDecimalUnsafe BigDecimal
+
+
+# This fixes CVE-2009-1904 however it removes legitimate functionality that your
+# application may depend on. You are *strongly* advised to upgrade your ruby
+# rather than relying on this fix for an extended period of time.
+
+def BigDecimal(initial, digits=0)
+ if initial.size > 255 || initial =~ /e/i
+ raise "Invalid big Decimal Value"
+ end
+ BigDecimalUnsafe(initial, digits)
+end
+
Please sign in to comment.
Something went wrong with that request. Please try again.