Ruby update fixes hash flooding vulnerability
The Ruby developers have released an update to the 1.9.3 series of their open source programming language, fixing a denial-of-service vulnerability. Ruby 1.9.3 patch level 327, labelled 1.9.3-p327, corrects a hash-flooding issue that could be exploited by an attacker to cause a high CPU load that can result in a denial-of-service. The problem can be caused by an error when parsing specially crafted sequences of strings.
The developers point out that the vulnerability is similar to another widespread DoS issue in hash algorithms that affected a number of programs including the 1.8.7 branch of Ruby. They had previously thought that the 1.9.x branch was not affected as it uses a modified MurmurHash function; however developer Jean-Philippe Aumasson, one of the designers of SipHash, later found that there is still a way to create a sequence of strings which could collide their hash vales with each other. They have now changed the hash function from MurmurHash to SipHash 2-4.
All Ruby 1.9.x versions prior to 1.9.3-p327, as well as all Ruby 2.0 pre-release versions prior to trunk revision 37575 including 2.0.0 preview 1 from earlier this month, are affected. Users running these versions are advised to upgrade to the latest 1.9.3 patch level or trunk revision 37575 or later as soon as possible. The update also corrects a number of non-security-related bugs.
A full list of fixes in the update can be found in the change log. Ruby 1.9.3-p327 is available to download from the project's site, and is distributed under either the terms of the Ruby Licence or a 2-clause BSD Licence, or the GPLv2.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371), a Ruby security advisory.