Wanna know what all the Ruby vulnerabilities are? Or at least have a fun look at how to search through code for clues? It’s a blast.
I took the time to go through all the changes between Ruby 1.8.6 p114 and Ruby 1.8.6 p230 and analyzed the changes so that you can know what they are and how the defects are security defects.
My history with the Ruby guys hiding their shame in patches and never admitting that they fucked up important parts of Ruby goes pretty far back. I found some pretty bad memory leaks with Mongrel and during that time Ruby idiots would claim it was the, “OS holding the memory, not a leak.” Riiight. We now know much different, but I’ve never seen a public admission that things like the GC, IO, or Threads are completely fucked up. Well, apart from people who have to deal with them daily.
This list of vulnerabilities and the code is just what I did after working all day on my book and while bored. Ho hum. So hard. Have fun with them!
BTW, nobody in Ruby told me about these. I completely inferred them from just analyzing the source for common defects. And while I pick on the person who made the changes a bit, I’m not blaming him or claiming he’s complicit in anything. He’s probably just doing what he thinks needs to be done.
UPDATE: I added a little update to the post to clarify that I’m doing it through diffs and shit on purpose to show how it’s not that hard, even without the source repository. Read that section for the update.