So apps written in C never segfault? Proprietary platforms always have great tech support? Other programming languages always have same-day fixes? I won't make any particular claims about Ruby, but I have yet to see The Perfect Language. Every language in the world is "bad, bad platform choice" given some criteria.
Moreover, from reading the advisories and comments, the only thing I can tell for certain is that you can kill a Ruby process with something like "Array.new[0x7fffffff]=0". The only way that's going to take down a Rails app is if you're putting unchecked user input directly into array indices -- but then, if you're doing that, you're probably in trouble anyway.
Or if you're running a setup like Heroku, and you let users run a Ruby console. (Maybe. I don't actually know how Heroku works.) To the nearest percent, that describes 0% of Rails apps.
Can anybody describe how this would actually be used to attack a typical website running Rails?
String is vulnerable too. You'd be hard pressed to write a useful program that didn't put user-provided data into Strings.
An attacker could study the code paths of popular ruby based open-source projects to craft special attack inputs that exploit the weaknesses in Array and/or String.
Moreover, from reading the advisories and comments, the only thing I can tell for certain is that you can kill a Ruby process with something like "Array.new[0x7fffffff]=0". The only way that's going to take down a Rails app is if you're putting unchecked user input directly into array indices -- but then, if you're doing that, you're probably in trouble anyway.
Or if you're running a setup like Heroku, and you let users run a Ruby console. (Maybe. I don't actually know how Heroku works.) To the nearest percent, that describes 0% of Rails apps.
Can anybody describe how this would actually be used to attack a typical website running Rails?