On 23/04/10 at 21:09 -0400, Michael Gilbert wrote: > On Thu, 22 Apr 2010 17:48:28 +0200 Lucas Nussbaum wrote: > > On 06/03/10 at 15:47 -0500, Michael Gilbert wrote: > > > Package: ruby1.9 > > > Version: 1.9.0.5-1 > > > Severity: serious > > > Tags: security > > > > > > Hi, > > > the following CVE (Common Vulnerabilities & Exposures) id was > > > published for ruby1.9. Note this was fixed in 1.9.1, and it isn't > > > really clear whether it affects 1.9. I can't find enough info to say > > > either way. Please check. > > > > > > CVE-2009-4124[0]: > > > | Heap-based buffer overflow in the rb_str_justify function in string.c > > > | in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to > > > | execute arbitrary code via unspecified vectors involving (1) > > > | String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of > > > | these details are obtained from third party information. > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE id in your changelog entry. > > > > > > For further information see: > > > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124 > > > http://security-tracker.debian.org/tracker/CVE-2009-4124 > > > > Hi Michael, > > > > The version of ruby1.9 in lenny seems to be affected. Ruby1.9 is no > > longer available in unstable. I'm tempted to just ignore that bug (the > > patch from 1.9.1 doesn't apply to 1.9.0). > > > this seems like a rather severe bug to ignore (arbitrary code > execution). do you have a link to the patch? i still don't see it, but > i've only quickly scanned mitre's links. perhaps someone else would be > able to backport it.
http://github.com/ruby/ruby/commit/8a5224e4de1f8375e787dd64d55becf1018170df (For the ruby 1.9.1 branch) It doesn't sound impossible to backport it, someone just has to spend time on it. > > Ruby 1.9 is a development branch of Ruby, I don't think that anybody > > uses it for anything serious. > > should it be removed from lenny also? No. The problem is that many Ruby packages build-depend on ruby1.8 _and_ ruby1.9. It's a bit of a chicken-and-egg problem: we want to increase the visibility/usefulness of ruby1.9/ruby1.9.1, so not releasing with it is not really an option, but on the other hand, it's not really supportable on the long term, and upstream doesn't care. -- | Lucas Nussbaum | lu...@lucas-nussbaum.net http://www.lucas-nussbaum.net/ | | jabber: lu...@nussbaum.fr GPG: 1024D/023B3F4F | -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
