Package: ruby2.1 Version: 2.1.1-3 Severity: serious Tags: security patch Justification: Policy 4.9
ruby2.1 is shipped without config.sub and config.guess and then these are insecurely downloaded during configure. It would be much better just to use the ones shipped with autotools-dev. Patch attached.
diff -Nru ruby2.1-2.1.1/debian/rules ruby2.1-2.1.1/debian/rules --- ruby2.1-2.1.1/debian/rules 2014-04-22 12:08:50.000000000 -0400 +++ ruby2.1-2.1.1/debian/rules 2014-04-23 21:38:23.000000000 -0400 @@ -46,6 +46,8 @@ dh $@ --parallel --with autotools-dev --with autoreconf override_dh_auto_configure: + cp /usr/share/misc/config.guess tool + cp /usr/share/misc/config.sub tool mkdir -p debian/lib ln -sf /usr/lib/$(DEB_HOST_MULTIARCH)/libtcl$(vtcltk).so debian/lib/libtcl.so ln -sf /usr/lib/$(DEB_HOST_MULTIARCH)/libtk$(vtcltk).so debian/lib/libtk.so @@ -53,6 +55,8 @@ override_dh_auto_clean: dh_auto_clean + rm -f tool/config.guess + rm -f tool/config.sub rm -rf debian/lib $(RM) -r .ext $(RM) -r doc/capi
