So, I read this, and I think, "it is surprising that Zed Shaw doesn't know what a buffer overflow is". For instance, his "extensions" "overflow" is a case where 2-3 character strings are "overflowing" a MAXPATHLEN buffer.
Favorite quote: "Seems like there’s some changes here to determine correct stack direction on the native CPU. Why, that could be a stack smash exploit in the making!" You go, Zed.
Two tips:
1. It's Ruby. Go write the exploit. If you think it's the patch to bignum (where the offset you're looking at only controls a load, not a store), write the testcase and prove it.
1. It's Ruby. Go write the exploit. If you think it's the patch to bignum (where the offset you're looking at only controls a load, not a store), write the testcase and prove it.
Why should he? He doesn't care, he doesn't use Ruby anymore. You can rest assured that someone else has already written the exploit, but is keeping it to himself. So you can either fix the bug, or hope that the person with the exploit doesn't use it on you.
Also, you should write correct code regardless of whether or not you think it's exploitable. Right!?
It's true. He doesn't claim to know anything about the code. He is just trying to expose the "secret fixes". His thesis (for all of his blog posts) is that the Ruby community sucks. He did all this digging in the name of "proving" that, not to help make Ruby better, nor to prove that he knows anything about security.
Read the last line -- "I guess we’ll find out after the Ruby guys passively aggressively kill me for looking at their open source and …. telling people things."
For those who don't know, Zed Shaw is famous for
1. creating mongrel among other things; he's a good programmer
2. his rant against some rails leaders: http://www.zedshaw.com/rants/rails_is_a_ghetto.html .
His rants are hilariously inflammatory (although this one about the vulnerabilities isn't particularly fiery).
It should be noted, however, that he's not crazy. I hear he's actually a pretty nice guy in person.
"""
If you haven’t noticed, I’m funny and enjoy having fun. Enjoy my site, tell me if you use my projects. Don’t take it too seriously though, it’s all an act.
"""
- http://www.zedshaw.com/index.html
I mean, honestly, the writing is so bad that I can't even grasp what he is getting so excited about. Is it because someone just introduced a bunch of vulnerabilities into the MRI? Is it because someone just fixed a bunch of potential security flaws? that's what it looks like in the code, but then I don't get it, what's so bad about fixing bugs???
I think he's trying to say that there is some secret juju going on, where special people get to find this stuff out before others, but Zed never actually gets around to explain why he feels that this is the case - it is after all open source, and everyone has access to it.
Or maybe he feels that the fact that there was a delay of a couple of days between the patches going live, and the actual announcement. Oh noes! It's the end of the world! Quick, sue somebody!
Anyway, I've wasted too much time on this post as it is. Zed Shaw may actually be a brilliant programmer, but considering his complete inability to be more coherent than a Markhov chain generator, I'll never know it.
I already posted this in the thread for the first article about this, but since it was already off the front page: none of the Linux distributions have released fixes for this yet, so I rolled my own for etch. http://dfranke.us/rubyfix.txt
Favorite quote: "Seems like there’s some changes here to determine correct stack direction on the native CPU. Why, that could be a stack smash exploit in the making!" You go, Zed.
Two tips:
1. It's Ruby. Go write the exploit. If you think it's the patch to bignum (where the offset you're looking at only controls a load, not a store), write the testcase and prove it.
2. Read the code, not the diffs.