Ruby News

A brand-new ruby-lang.org has been released

Wed, 12 Jun 2013 12:00:00 +0000

On behalf of the Ruby community, we are pleased to announce to you that a brand-new ruby-lang.org is now live!

Ruby’s official website has stalled over the years, leading to a situation where only a subset of the available languages were actually maintained. Still, their content may not even be relevant in the current Ruby ecosystem. Something had to be done! A few rubyists thus gathered to build a whole new contribution platform, switching from a private CMS to an open process.

Everyone is now able to edit the content and fix kinks in no time! We have set up a git-based process and Jekyll now powers the website: visit https://github.com/ruby/www.ruby-lang.org/wiki to learn more about the project and how to contribute.

We hope to be hearing from you and reviewing your Pull Requests,

Hal Brodigan (postmodern),
Jean-Denis Vauguet (chikamichi),
Marcus Stollsteimer (stomar),
James Edward Gray II (JEG2),
Hiroshi Shibata (hsbt).

Ruby 1.9.3-p429 is released

Tue, 14 May 2013 17:00:00 +0000

Now Ruby 1.9.3-p429 is released. We once released p426 some hours before, but it had build problems on some platforms. Use this p429 instead, please.

This release includes a security fix about bundled DL / Fiddle.

Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)

And some small bugfixes are also included.

See tickets and ChangeLog for details.

Download

You can download this release from:

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p429.tar.bz2

SIZE:   10042323 bytes
MD5:    c2b2de5ef15ea9b1aaa3152f9112af1b
SHA256: 9d8949c24cf6fe810b65fb466076708b842a3b0bac7799f79b7b6a8791dc2a70

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p429.tar.gz

SIZE:   12553234 bytes
MD5:    993c72f7f805a9eb453f90b0b7fe0d2b
SHA256: d192d1afc46a7ef27b9d0a3c7a67b509048984db2c38907aa82641bdf980acf4

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p429.zip

SIZE:   13869978 bytes
MD5:    1986f3934e61b999873d21a79d69d88d
SHA256: 8bd0ecc2dd8eec471aa44f88abdcd82f4b398e9110ca06f76eff066b653b8b90

Release Comment

Many committers, testers and users who gave bug reports helped me to make this release. Thanks for their contributions.

Ruby 2.0.0-p195 is released

Tue, 14 May 2013 13:00:01 +0000

Ruby 2.0.0-p195 is released. This is the first patchlevel release of 2.0.0.

This release includes a security fix of Ruby DL / Fiddle extension.

Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)

And there are many bug-fixes and some optimization, and documentation fixes.

Downloads

ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p195.tar.bz2

SIZE:   10807456 bytes
MD5:    2f54faea6ee1ca500632ec3c0cb59cb6
SHA256: 0be32aef7a7ab6e3708cc1d65cd3e0a99fa801597194bbedd5799c11d652eb5b

ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p195.tar.gz

SIZE:   13641558 bytes
MD5:    0672e5af309ae99d1703d0e96eff8ea5
SHA256: a2fe8d44eac3c27d191ca2d0ee2d871f9aed873c74491b2a8df229bfdc4e5a93

ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p195.zip

SIZE:   15092199 bytes
MD5:    924fe4bea72b1b258655211998631791
SHA256: 81a4dc6cc09e491d417a51e5983c4584eff849e2a186ec3affdbe5bc15cd7db5

Changes

Major fixes are below. See ChangeLog or Tickets for details.

Thank you all committers/contributors.

Core - prepend

  #7841 Module#prepend now detect cyclic prepend.
  #7843 removing prepended methods causes exceptions.
  #8357 Module#prepend breaks Module's comparison operators.
  #7983 Module#prepend can't override Fixnum's operator methods.
  #8005 methods made private/protected after definition become uncallable on prepended class.
  #8025 Module#included_modules include classes when prepended.

Core - keyword arguments

  #7922 unnamed keyword rest argument cause SyntaxError.
  #7942 support define method only receive keyword arguments without paren.
  #8008 fix a bug in super with keyword arguments.
  #8236 fix a treatment of rest arguments and keyword arguments through `super'.
  #8260 non-symbol key should not treated as keyword arguments.

Core - refinements

  #7925 fix a bug of refinements with a method call super in a block.

Core - GC

  #8092 improve accuracy of GC.stat[:heap_live_num]
  #8146 avoid unnecessary heap growth.
  #8145  fix unlimited memory growth with large values of RUBY_FREE_MIN.

Core - Regexp

  #7972 Regexp POSIX space class is location sensitive.
  #7974 Regexp case-insensitive group doesn't work.
  #8023 Regexp lookbehind assertion fails with /m mode enabled
  #8001 Regexp \Z matches where it shouldn't

Core - other

  #8063 fix a potential memory violation and avoid abort on the environment _FORTIFY_SOURCE=2 (ex. Ubuntu).
  #8175 ARGF#skip doesn't work as documented.
  #8069 File.expand_path('something', '~') now support home path on Windows.
  #8220 fix a Segmentation fault when defined? ().
  #8367 fix a regression in defined?(super).
  #8283 Dir.glob doesn't recurse hidden directories.
  #8165 fix a bug of multiple require with non-ascii file path.
  #8290 fix an incompatible String#inspect behavior with NUL character.
  #8360 fix a Segmentation fault of Thread#join(Float::INFINITY) on some platforms.

RubyGems

  Bundled RubyGems version is updated to 2.0.2+
  #7698 fix an rubygems' incompatibility about installation of extension libraries.
  #8019 fix a bug of gem list --remote doesn't work.

Libraries

  #7911 File.fnmatch with US-ASCII pattern and UTF-8 path raise an exception.
  #8240 fix a bug about OpenSSL::SSL::SSLSocket breaks other connections or files on GC.
  #8183 CGI.unescapeHTML can't decode Numeric Character References with uppercase (&#Xnnnn).

Build/Platform specific

  #7830 fix build failure with compiler warning.
  #7950 fix a build failure on mswin/VC with --with-static-linked-ext.

Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)

Tue, 14 May 2013 13:00:00 +0000

There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. This vulnerability has been assigned the CVE identifier CVE-2013-2065.

Impact

Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised.

Impacted DL code will look something like this:

def my_function(user_input)
  handle    = DL.dlopen(nil)
  sys_cfunc = DL::CFunc.new(handle['system'], DL::TYPE_INT, 'system')
  sys       = DL::Function.new(sys_cfunc, [DL::TYPE_VOIDP])
  sys.call user_input
end

$SAFE = 1
my_function "uname -rs".taint

Impacted Fiddle code will look something like this:

def my_function(user_input)
  handle    = DL.dlopen(nil)
  sys = Fiddle::Function.new(handle['system'],
                             [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)
  sys.call user_input
end

$SAFE = 1
my_function "uname -rs".taint

All users running an affected release should either upgrade or use one of the workarounds immediately.

Note that this does not prevent numeric memory offsets from being used as pointer values. Numbers cannot be tainted, so code passing a numeric memory offset cannot be checked. For example:

def my_function(input)
  handle    = DL.dlopen(nil)
  sys = Fiddle::Function.new(handle['system'],
                             [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)
  sys.call input
end

$SAFE = 1
user_input = "uname -rs".taint
my_function DL::CPtr[user_input].to_i

In this case, the memory location is passed, and taintedness of the object cannot be determined by DL / Fiddle. In this case, please check the tainting of the user input before passing the memory location:

user_input = "uname -rs".taint
raise if $SAFE >= 1 && user_input.tainted?
my_function DL::CPtr[user_input].to_i

Workarounds

If you cannot upgrade Ruby, this monkey patch can be used as a workaround:

class Fiddle::Function
  alias :old_call :call
  def call(*args)
    if $SAFE >= 1 && args.any? { |x| x.tainted? }
      raise SecurityError, "tainted parameter not allowed"
    end
    old_call(*args)
  end
end

Affected versions

All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 426
All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 195
prior to trunk revision 40728

ruby 1.8 versions are not affected.

Credits

Thanks to Vit Ondruch for reporting this issue.

History

Originally published at 2013-05-14 13:00:00 (UTC)

Ruby 2.0.0-p0 is released

Sun, 24 Feb 2013 09:06:22 +0000

We are pleased to announce the release of Ruby 2.0.0-p0.

Ruby 2.0.0 is the first stable release of the Ruby 2.0 series, with many new features and improvements in response to the increasingly diverse and expanding demands for Ruby.

Enjoy programming with Ruby 2.0.0!

Download

<URL:ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p0.tar.bz2>

SIZE:   10814890 bytes
MD5:    895c1c581f8d28e8b3bb02472b2ccf6a
SHA256: c680d392ccc4901c32067576f5b474ee186def2fcd3fcbfa485739168093295f

<URL:ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p0.tar.gz>

SIZE:   13608925 bytes
MD5:    50d307c4dc9297ae59952527be4e755d
SHA256: aff85ba5ceb70303cb7fb616f5db8b95ec47a8820116198d1c866cc4fff151ed

<URL:ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p0.zip>

SIZE:   15037340 bytes
MD5:    db5af5d6034646ad194cbdf6e50f49ee
SHA256: 0d0af6a9c8788537efd8d7d2358ce9468e6e2b7703dacba9ebd064d8b7da5f99

What is Ruby 2.0.0

New Features

Some of the highlights:

Language core features
- Keyword arguments, which give flexibility to API design
- Module#prepend, which is a new way to extend a class
- A literal %i, which creates an array of symbols easily
- __dir__, which returns the dirname of the file currently being executed
- The UTF-8 default encoding, which make many magic comments omissible
Built-in libraries
- Enumerable#lazy and Enumerator::Lazy, for (possibly infinite) lazy stream
- Enumerator#size and Range#size, for lazy size evaluation
- #to_h, which is a new convention for conversion to Hash
- Onigmo, which is a new regexp engine (a fork of Oniguruma)
- Asynchronous exception handling API
Debug support
- DTrace support, which enables run-time diagnosis in production
- TracePoint, which is an improved tracing API
Performance improvements
- GC optimization by bitmap marking
- Kernel#require optimization which makes Rails startup very fast
- VM optimization such as method dispatch
- Float operation optimization

In addition, albeit as an experimental feature, 2.0.0 includes Refinements, which adds a new concept to Ruby's modularity.

See also NEWS for more features, improvements and details.

Compatibility

We have also taken care with the 2.0.0 design to make it compatible with 1.9. It will be easier to migrate from 1.9 to 2.0 than it was from 1.8 to 1.9. (The notable incompatibilities are described later.)

In fact, thanks to the dedicated work of third parties, some popular applications such as Rails and tDiary have been reported to work on the release candidate version of 2.0.0.

Documentation

We have also made documentation improvements which many rubyists have requested. We have added a huge amount of rdoc for modules and methods. 2.0.0 will be around 75% documented while 1.9.3 was about 60%. Also, we have added a description of Ruby's syntax. You can see:

ri ruby:syntax

Stability

Note that unlike 1.9.0, 2.0.0 IS a stable release, even though its TEENY is 0. All library authors are strongly recommended to support 2.0.0. As mentioned above, it will be comparatively easy to migrate from 1.9 to 2.0.

Ruby 2.0.0 is ready for practical use, and will absolutely improve your Ruby life.

Notes

Introductory articles

Here are some introductory articles of 2.0.0 features by third parties:

<URL:http://blog.marc-andre.ca/2013/02/23/ruby-2-by-example> (comprehensive, recommended)
<URL:https://speakerdeck.com/shyouhei/whats-new-in-ruby-2-dot-0> (comprehensive, recommended)
<URL:http://el.jibun.atmarkit.co.jp/rails/2012/11/ruby-20-8256.html> (brief, in Japanese)
<URL:https://speakerdeck.com/nagachika/rubyist-enumeratorlazy> (only Enumerator::Lazy, in Japanese)

The following articles are also helpful, but outdated with regards to refinement:

Also, the recent issue of "Rubyist Magazine" includes some articles that were written by the feature authors themselves for introducing some new 2.0.0 features.

<URL:http://jp.rubyist.net/magazine/?0041-200Special>

Though they will be written in Japanese, English translations are planned for the future.

Incompatibility

There are five notable incompatibilities we know of:

The default encoding for ruby scripts is now UTF-8 [#6679]. Some people report that it affects existing programs, such as some benchmark programs becoming very slow [ruby-dev:46547].
Iconv was removed, which had already been deprecated when M17N was introduced in ruby 1.9. Use String#encode, etc. instead.
There is ABI breakage [ruby-core:48984]. We think that normal users can/should just reinstall extension libraries. You should be aware: DO NOT COPY .so OR .bundle FILES FROM 1.9.
#lines, #chars, #codepoints, #bytes now returns an Array instead of an Enumerator [#6670]. This change allows you to avoid the common idiom "lines.to_a". Use #each_line, etc. to get an Enumerator.
Object#inspect does always return a string like #<ClassName:0x…> instead of delegating to #to_s. [#2152]

There are some comparatively small incompatibilities. [ruby-core:49119]

Status of Refinements

We have added a feature called Refinements, which adds a new concept to Ruby's modularity. However, please be aware that Refinements is still an experimental feature: we may change its specification in the future. Despite that, we would like you to play with it and give us your thoughts. Your feedback will help to forge this interesting feature.

Acknowledgment

A great many people contributed to 2.0.0. Even an incomplete acknowledgment for only a few parts of contributions became too big to insert here. Sorry but let me just add a link to the special thanks page.

<URL:https://bugs.ruby-lang.org/projects/ruby/wiki/200SpecialThanks>

Thank you all!

Ruby 1.9.3-p392 is released

Fri, 22 Feb 2013 13:09:05 +0000

Now Ruby 1.9.3-p392 is released. I apologize for updating too frequently.

This release includes security fixes about bundled JSON and REXML.

And some small bugfixes are also included.

See tickets and ChangeLog for details.

Download

You can download this release from:

<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p392.tar.bz2>

SIZE:   10024221 bytes
MD5:    a810d64e2255179d2f334eb61fb8519c
SHA256: 5a7334dfdf62966879bf539b8a9f0b889df6f3b3824fb52a9303c3c3d3a58391

<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p392.tar.gz>

SIZE:   12557294 bytes
MD5:    f689a7b61379f83cbbed3c7077d83859
SHA256: 8861ddadb2cd30fb30e42122741130d12f6543c3d62d05906cd41076db70975f

<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p392.zip>

SIZE:   13863402 bytes
MD5:    212fb3bc41257b41d1f8bfe0725916b7
SHA256: f200ce4a63ce57bea64028a507350717c2a16bdbba6d9538bc69e9e7c2177c8b

Release Comment

Many committers, testers and users who gave bug reports helped me to make this release. Thanks for their contributions.

Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)

Fri, 22 Feb 2013 13:08:51 +0000

Unrestricted entity expansion can lead to a DoS vulnerability in REXML. This vulnerability has been assigned the CVE identifier CVE-2013-1821. We strongly recommend to upgrade ruby.

Details

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

Impacted code will look something like this:

document = REXML::Document.new some_xml_doc
document.root.text

When the `text` method is called, entities will be expanded. An attacker can send a relatively small XML document that, when the entities are resolved, will consume extreme amounts of memory on the target system.

Note that this attack is similar to, but different from the Billion Laughs attack. This is also related to CVE-2013-1664 of Python.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

If you cannot upgrade Ruby, use this monkey patch as a workaround:

class REXML::Document
  @@entity_expansion_text_limit = 10_240

  def self.entity_expansion_text_limit=( val )
    @@entity_expansion_text_limit = val
  end

  def self.entity_expansion_text_limit
    @@entity_expansion_text_limit
  end
end

class REXML::Text
  def self.unnormalize(string, doctype=nil, filter=nil, illegal=nil)
    sum = 0
    string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
      s = self.expand($&, doctype, filter)
      if sum + s.bytesize > REXML::Document.entity_expansion_text_limit
        raise "entity expansion has grown too large"
      else
        sum += s.bytesize
      end
      s
    }
  end

  def self.expand(ref, doctype, filter)
    if ref[1] == ?#
      if ref[2] == ?x
        [ref[3...-1].to_i(16)].pack('U*')
      else
        [ref[2...-1].to_i].pack('U*')
      end
    elsif ref == '&amp;'
      '&'
    elsif filter and filter.include?( ref[1...-1] )
      ref
    elsif doctype
      doctype.entity( ref[1...-1] ) or ref
    else
      entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
      entity_value ? entity_value.value : ref
    end
  end
end

This monkey patch will limit the size of the entity substitutions to 10k per node. REXML already defaults to only allow 10000 entity substitutions per document, so the maximum amount of text that can be generated by entity substitution will be around 98 megabytes.

Affected versions

All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 392
All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 0
prior to trunk revision 39384

Credits

Thanks to Ben Murphy for reporting this issue.

History

Added about CVE number at 2013-03-11 07:45:00 (UTC)
Originally published at 2013-02-22 12:00:00 (UTC)

Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)

Fri, 22 Feb 2013 13:08:38 +0000

There is a denial of service and unsafe object creation vulnerability in the json bundled with ruby. This vulnerability has been assigned the CVE identifier CVE-2013-0269. We strongly recommend to upgrade ruby.

Details

When parsing certain JSON documents, the JSON gem (includes bundled with ruby) can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.

The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.

Impacted code looks like this:

JSON.parse(user_input)

Where the `user_input` variable will have a JSON document like this:

{"json_class":"foo"}

The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol.

In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this:

{"json_class":"JSON::GenericObject","foo":"bar"}

This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures.

PLEASE NOTE: this behavior does not change when using `JSON.load`. `JSON.load` should never be given input from unknown sources. If you are processing JSON from an unknown source, always use `JSON.parse`.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

For users that cannot upgrade ruby or JSON gem, change your code from this:

JSON.parse(json)

To this:

JSON.parse(json, :create_additions => false)

If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch:

module JSON
  class << self
    alias :old_parse :parse
    def parse(json, args = {})
      args[:create_additions] = false
      old_parse(json, args)
    end
  end
end

Affected versions

All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 392
All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 0
prior to trunk revision 39208

Credits

A huge thanks goes to the following people for responsibly disclosing this issue and working with the Rails team to get it fixed:

Thomas Hollstegge of Zweitag (www.zweitag.de)
Ben Murphy

History

Originally published at 2013-02-22 12:00:00 (UTC)

The Barcelona Ruby Conference Call for Papers is Open

Sat, 16 Feb 2013 14:47:15 +0000

Barcelona Ruby Conference is a conference that takes place in the heart of Catalunya, Spain this September 14-15. Starring world-class speakers as Aaron Patterson (rails and ruby core), David Chelimsky (The RSpec book author, RSpec core member), Charles Nutter (JRuby maintainer), Sandi Metz (Practical Object-Oriented Design in Ruby author) or Yukihiro Matz (the Ruby language creator), among others.

The call for papers is already open and admitting submissions until 10th of March - don't miss the chance to be on that list!

There's a total of 4 slots open, and each one of the 4 selected speakers will get a free ticket to the conference as well as paid accommodation. You can check out the CFP's basis and send your proposal in their website.

The 2013 Ruby Hero Awards

Fri, 15 Feb 2013 21:34:51 +0000

The Ruby Hero Awards are now accepting nominations and we need your help to find people in our community who thanklessly help others and perhaps don’t get the recognition they deserve. This could be someone who contributes to ruby open source software you’ve found useful in the past year, could be an educator, or maybe someone who’s helped organize Ruby events.

If you have a minute please take a moment to nominate someone by heading over to RubyHeroes.com, typing in the github username of the person you wish to nominate, and giving us a reason why they deserve to win. About a month from now all the previous year’s Ruby Heroes will help decide who will win this year’s 6 awards which will be presented to the heroes live on stage at Railsconf at the end of April.