On Sun, 25 Apr 2010 17:23:29 +0200 Lucas Nussbaum wrote: > On 23/04/10 at 21:09 -0400, Michael Gilbert wrote: > > On Thu, 22 Apr 2010 17:48:28 +0200 Lucas Nussbaum wrote: > > > On 06/03/10 at 15:47 -0500, Michael Gilbert wrote: > > > > Package: ruby1.9 > > > > Version: 1.9.0.5-1 > > > > Severity: serious > > > > Tags: security > > > > > > > > Hi, > > > > the following CVE (Common Vulnerabilities & Exposures) id was > > > > published for ruby1.9. Note this was fixed in 1.9.1, and it isn't > > > > really clear whether it affects 1.9. I can't find enough info to say > > > > either way. Please check. > > > > > > > > CVE-2009-4124[0]: > > > > | Heap-based buffer overflow in the rb_str_justify function in string.c > > > > | in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to > > > > | execute arbitrary code via unspecified vectors involving (1) > > > > | String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of > > > > | these details are obtained from third party information. > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE id in your changelog entry. > > > > > > > > For further information see: > > > > > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124 > > > > http://security-tracker.debian.org/tracker/CVE-2009-4124 > > > > > > Hi Michael, > > > > > > The version of ruby1.9 in lenny seems to be affected. Ruby1.9 is no > > > longer available in unstable. I'm tempted to just ignore that bug (the > > > patch from 1.9.1 doesn't apply to 1.9.0). > > > > > > this seems like a rather severe bug to ignore (arbitrary code > > execution). do you have a link to the patch? i still don't see it, but > > i've only quickly scanned mitre's links. perhaps someone else would be > > able to backport it. > > http://github.com/ruby/ruby/commit/8a5224e4de1f8375e787dd64d55becf1018170df > (For the ruby 1.9.1 branch) > > It doesn't sound impossible to backport it, someone just has to spend > time on it.
the patch actually applies directly to 1.9 with some whitespace fixups. i've built an updated package with this fixed: http://mentors.debian.net/debian/pool/main/r/ruby1.9 would anyone be willing to put together a DSA for this? thanks. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
