"The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case)." ruby 1.9 is not affected. It's likely that ruby-enterprise-edition is also affected, but that has not been confirmed.
ruby-enterprise uses the same code.
I have a version of dev-lang/ruby-1.8.7_p357 locally that I will test first.
Arches, please test and mark stable: =dev-lang/ruby-1.8.7_p357 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
I needed this glibc patch to compile this on ~x86: https://bugs.gentoo.org/show_bug.cgi?id=370413
Hi I placed spanky's patch into /etc/portage/patches/sys-libs/glibc. Although the path is mentioned in /var/tmp/portage/sys-libs/glibc-2.14-r1,epatch_user.applied on checking the log file the 0068******* isn't mentioned at the top of the patches. So my question is what did I miss doing,or should I read further down. Geoff
amd64 stable
Could not compile ruby 1.8.7_p357, because of: cp ../.././ext/dl/lib/dl/import.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/struct.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/win32.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/types.rb ../../.ext/common/dl In file included from dl.c:104:0: callback.func:1:1: warning: data definition has no type or storage class callback.func:1:7: error: expected identifier or ‘(’ before ‘long’ In file included from dl.c:104:0: callback.func:78:33: error: expected ‘)’ before ‘(’ token callback.func:79:3: warning: data definition has no type or storage class callback.func:79:24: error: ‘proc’ undeclared here (not in a function) callback.func:79:39: error: ‘argc’ undeclared here (not in a function) callback.func:79:45: error: ‘argv’ undeclared here (not in a function) callback.func:82:1: error: expected identifier or ‘(’ before ‘}’ token dl.c:106:1: error: expected ‘;’, ‘,’ or ‘)’ before ‘static’ make[1]: *** [dl.o] Error 1 make[1]: *** Waiting for unfinished jobs.... Found that it is known problem see for example: http://aur.archlinux.org/packages.php?ID=30221
(In reply to comment #7) > callback.func:1:7: error: expected identifier or ‘(’ before ‘long’ ... PLEASE DO NOT report this error any more. The issue is known, has a fix and is just waiting for a glibc patch. Thanks.
ppc/ppc64 done
Stable for HPPA.
CVE-2011-4815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815): Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
x86 stable
alpha/arm/ia64/s390/sh/sparc stable
Thanks, everyone. GLSA Vote: yes.
This is also fixed in ruby-enterprise 1.8.7-2012.02 which got released about a week ago.
Added to existing GLSA request.
A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).