Bug#628452: marked as done (CVE-2011-0188: arbitrary code execution)

[Debian Bug Tracking System]

Your message dated Sun, 03 Jul 2011 18:33:29 +0000
with message-id <e1qdru1-0003n2...@franck.debian.org>
and subject line Bug#628452: fixed in ruby1.8 1.8.7.352-1
has caused the Debian Bug report #628452,
regarding CVE-2011-0188: arbitrary code execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
628452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628452
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ruby1.8
Version: 1.8.7.334-5
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.

CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7
| and other platforms, does not properly allocate memory, which allows
| context-dependent attackers to execute arbitrary code or cause a
| denial of service (application crash) via vectors involving creation
| of a large BigDecimal value within a 64-bit process, related to an
| "integer truncation issue."

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers,
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188
    http://security-tracker.debian.org/tracker/CVE-2011-0188

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3hvxAACgkQ62zWxYk/rQdzMACgkYd/w/hd/UIKj2y3uddmmQcy
JtoAnRtpwM2sNlTPBKJkvvFHhskoqsch
=RvTy
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: ruby1.8
Source-Version: 1.8.7.352-1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

libruby1.8-dbg_1.8.7.352-1_amd64.deb
  to main/r/ruby1.8/libruby1.8-dbg_1.8.7.352-1_amd64.deb
libruby1.8_1.8.7.352-1_amd64.deb
  to main/r/ruby1.8/libruby1.8_1.8.7.352-1_amd64.deb
libtcltk-ruby1.8_1.8.7.352-1_amd64.deb
  to main/r/ruby1.8/libtcltk-ruby1.8_1.8.7.352-1_amd64.deb
ri1.8_1.8.7.352-1_all.deb
  to main/r/ruby1.8/ri1.8_1.8.7.352-1_all.deb
ruby1.8-dev_1.8.7.352-1_amd64.deb
  to main/r/ruby1.8/ruby1.8-dev_1.8.7.352-1_amd64.deb
ruby1.8-examples_1.8.7.352-1_all.deb
  to main/r/ruby1.8/ruby1.8-examples_1.8.7.352-1_all.deb
ruby1.8-full_1.8.7.352-1_all.deb
  to main/r/ruby1.8/ruby1.8-full_1.8.7.352-1_all.deb
ruby1.8_1.8.7.352-1.debian.tar.gz
  to main/r/ruby1.8/ruby1.8_1.8.7.352-1.debian.tar.gz
ruby1.8_1.8.7.352-1.dsc
  to main/r/ruby1.8/ruby1.8_1.8.7.352-1.dsc
ruby1.8_1.8.7.352-1_amd64.deb
  to main/r/ruby1.8/ruby1.8_1.8.7.352-1_amd64.deb
ruby1.8_1.8.7.352.orig.tar.gz
  to main/r/ruby1.8/ruby1.8_1.8.7.352.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Nussbaum <lu...@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jul 2011 19:00:52 +0200
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libtcltk-ruby1.8 
ruby1.8-examples ri1.8 ruby1.8-full
Architecture: source all amd64
Version: 1.8.7.352-1
Distribution: unstable
Urgency: low
Maintainer: Lucas Nussbaum <lu...@debian.org>
Changed-By: Lucas Nussbaum <lu...@debian.org>
Description: 
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-examples - Examples for Ruby 1.8
 ruby1.8-full - Ruby 1.8 full installation
Closes: 628452
Changes: 
 ruby1.8 (1.8.7.352-1) unstable; urgency=low
 .
   * New upstream release.
     + debian/patches/110411_disable_osslv2.patch: not needed anymore
   * Backport r30993 from the ruby_1.9 branch to fix CVE-2011-0188.
     Closes: #628452
   * Build-depend on tcl-dev and tk-dev instead of 8.4.
   * Add debian/patches/tcltk-no-rpath.patch: disable rpath in
     the tcltk extension.
Checksums-Sha1: 
 de771bda2da4d02cac324c8f01d3b0d0462b1b7e 2179 ruby1.8_1.8.7.352-1.dsc
 6ed404f8d9dd33e0d9dbe24e09101a1ee78ed7c3 4894181 ruby1.8_1.8.7.352.orig.tar.gz
 a15cfacc0f4919fcdc1a95aba339fd2e641138d4 50955 
ruby1.8_1.8.7.352-1.debian.tar.gz
 09f357826881854ba4145fb2c1a5cef022c49f01 342970 
ruby1.8-examples_1.8.7.352-1_all.deb
 fa905eab308b2bc383438a90b4d2c4887a7dedd2 1427484 ri1.8_1.8.7.352-1_all.deb
 255cec5618705d7aa79109c84056a964d1be0ca0 281688 
ruby1.8-full_1.8.7.352-1_all.deb
 4d7b3dadaa9ee8a6d4f3a66bd36fd2110e9d3197 318026 ruby1.8_1.8.7.352-1_amd64.deb
 0d13c6132c9d260be46baaf1def7257ed8ba87cd 2076486 
libruby1.8_1.8.7.352-1_amd64.deb
 2c1bede26821991c01d73fcea344b9ff85f59d73 1700990 
libruby1.8-dbg_1.8.7.352-1_amd64.deb
 8fe6654d911cd37d0b14ad8594b41af7d9acaab7 904248 
ruby1.8-dev_1.8.7.352-1_amd64.deb
 4fd30f05f33419553708e06e30c9050d31a8828c 2031222 
libtcltk-ruby1.8_1.8.7.352-1_amd64.deb
Checksums-Sha256: 
 5d1c099e047d8c6223a684ac2e5ef6a60616d0b593fb7078005a6aaffb27f39b 2179 
ruby1.8_1.8.7.352-1.dsc
 2325b9f9ab2af663469d057c6a1ef59d914a649808e9f6d1a4877c8973c2dad0 4894181 
ruby1.8_1.8.7.352.orig.tar.gz
 6bfee16f645e90db83f7b1122e1ee0223b55afdc620efdad3d66f8378eda48c2 50955 
ruby1.8_1.8.7.352-1.debian.tar.gz
 4b85ba56c11582cdfa9128561c8abdea4c178fb2311051d0a5ff35bbe00dea6d 342970 
ruby1.8-examples_1.8.7.352-1_all.deb
 be48a07e5542f60b8969c4dca18624a64dbedcc263a6c0f5dcb31e054cd2f397 1427484 
ri1.8_1.8.7.352-1_all.deb
 abaaec01c2a5ee14e17de4b7d4713f32154f1b0ef272907121ab7d4d9e794ac4 281688 
ruby1.8-full_1.8.7.352-1_all.deb
 2ece2e38858d0c1dddccb3916989ff77d2b57c0612f80fd7f8ba5b614fae1885 318026 
ruby1.8_1.8.7.352-1_amd64.deb
 0b072be8ed3810a365a10054dc289d3001ee0daed6b9cbd806406a9e56c93b80 2076486 
libruby1.8_1.8.7.352-1_amd64.deb
 98c3ee5013af6598397ac2b223acbd9114782a6fcd31ac7c9beab4fe230765b3 1700990 
libruby1.8-dbg_1.8.7.352-1_amd64.deb
 6d51570ad43c7ffc40727fb520a1c75e9fee3ef5163b1506ae5a816242e38a4b 904248 
ruby1.8-dev_1.8.7.352-1_amd64.deb
 3bedd5395432a6b3bdb0449dab5e22ec8e682d438cae4f587626b48b4d139a76 2031222 
libtcltk-ruby1.8_1.8.7.352-1_amd64.deb
Files: 
 fe5fc67ab1353a9e9564771c132b07f2 2179 ruby optional ruby1.8_1.8.7.352-1.dsc
 0c33f663a10a540ea65677bb755e57a7 4894181 ruby optional 
ruby1.8_1.8.7.352.orig.tar.gz
 aa6e2bc277e7892434b29124cb61c271 50955 ruby optional 
ruby1.8_1.8.7.352-1.debian.tar.gz
 e965e4eb39b581b6df51dfec348a7452 342970 ruby optional 
ruby1.8-examples_1.8.7.352-1_all.deb
 ed098dd3b6dc3b1ac2ed45bf27b89501 1427484 ruby optional 
ri1.8_1.8.7.352-1_all.deb
 bd20078c7523815212075bcc6b831940 281688 ruby optional 
ruby1.8-full_1.8.7.352-1_all.deb
 8dcf04ed846786dd9dc9631cfc8774f5 318026 ruby optional 
ruby1.8_1.8.7.352-1_amd64.deb
 bd3027f850dc6c071020a6a559d44ea7 2076486 libs optional 
libruby1.8_1.8.7.352-1_amd64.deb
 baf2055157810a079c10b11d125211b6 1700990 debug extra 
libruby1.8-dbg_1.8.7.352-1_amd64.deb
 628a3484e95e1757c76b96598a318d1a 904248 ruby optional 
ruby1.8-dev_1.8.7.352-1_amd64.deb
 d12ca035a64728ac8ad697c4a25fba5f 2031222 ruby optional 
libtcltk-ruby1.8_1.8.7.352-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBThCxYjkUtTL0376ZAQo3xQ//QNn8GPuZuC4gF7dr4yPNPvwGgZGKdsE7
DZp0yWPQEAsKPfosUr3+C42lQ+Ni+0hRYzikif7RmDZxaUOtCqBEmGkYCWjZD/7/
L9jOBouLFhg0dgA7iGqJxfKbwUu2nHuqhPFr+uyxRo8WmQd7XV+6Y2fkySEDhUns
6AjvBTlT984fhRs9GuBBRfQmLWb2SOW+8QMjLYMtbXylp5/uDTbr9TnC/ep8Ukws
uky0/yfa1eTciQ4L+nSAekhvRQkzjnA0YKGu7egqMj9xvSyYzerg/xEtPs+Mf9Ve
kqvYqORxmF4JQW8bqy0QbKxubtc2IDHu/faGwXzqSN2lrYiAqCu0ANpnTmXDHyYH
xvmJVCpYfinxmlAfU6fsyot2E4loybu/D4UErEfJWV7uJ/eZRTiFrNdBi3pfNW5T
ncOlu4eeu08cHpLbRjhXNLksFrkv3xDt3ma/ReDWfCRo3zkUTpmLvx/4t+INRqpQ
npCoCN7dPPgeaDq1NzJV+6UcTPG59+diXvcktrBKEuikjQiSFCrF9pOMDjYtYjpW
9Kd8XOAb1KC/yCiOYY1YmbcdvOeSVmCnIFob7rLXguLwviThkDEWoCi/def+Xqlb
PzGlgw9s6/5K9tgZ0ZJqybQL5//fH0pQso7jf4rUsPCchcXEyP+9Bb+g6BUe96Rz
HQWIUXtIl4s=
=6NUB
-----END PGP SIGNATURE-----

--- End Message ---