Re: Ruby 1.9.1 Squeeze package for test

To: Guido Günther <agx@sigxcpu.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Ruby 1.9.1 Squeeze package for test
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Sun, 28 Jun 2015 14:12:48 +0200
Message-id: <[🔎] 20150628121248.GC7464@nomada>
In-reply-to: <[🔎] 20150626100342.GA5704@bogon.m.sigxcpu.org>
References: <[🔎] 20150624201608.GD9504@nomada> <[🔎] 20150626100342.GA5704@bogon.m.sigxcpu.org>

El 26/06/15 a las 12:03, Guido Günther escribió:
> Hi Santiago,

Hi Guido,

Thanks for reviewing!

> On Wed, Jun 24, 2015 at 10:16:08PM +0200, Santiago Ruano Rincón wrote:
> > Hi there,
> > 
> > I've prepared a ruby 1.9.1 package to fix the two open CVEs
> > CVE-2012-5371 and CVE-2013-0269. As usual, test are more than welcome.
> > The package is available at the repository:
> > 
> >     deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
> > 
> > Debdiff against current package attached.
> > 
> > Cheers,
> > 
> > Santiago
> > 
...
> > diff -Nru ruby1.9.1-1.9.2.0/debian/patches/series ruby1.9.1-1.9.2.0/debian/patches/series
> > --- ruby1.9.1-1.9.2.0/debian/patches/series	2015-05-30 19:47:58.000000000 +0200
> > +++ ruby1.9.1-1.9.2.0/debian/patches/series	2015-06-23 22:44:07.000000000 +0200
> > @@ -68,3 +68,5 @@
> >  
> >  #XXX todo: CVE-2012-5371
> >  #XXX todo: CVE-2013-0269
> 
> Minor nitpick: I think these can be dropped now that the CVEs are
> fixed.
> 

Ok

> Apart from that I noticed this behaviour change due to the fix for
> CVE-2013-0269 (based on [1]):
> 
> Squeeze version:
>      # cat <<EOF | ruby1.9.1                                                                         
>      require 'json'
>      p JSON.parse('{"json_class":"foo"}')['json_class']
>      EOF
>      Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?': wrong constant name foo (NameError)
> 	from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get'
> 	from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each'
> 	from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject'
> 	from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
> 	from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> 	from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> 	from -:2:in `<main>'
> 
> Your fixed version:
> 
>     # cat <<EOF | ruby1.9.1 
>     require 'json'
>     p JSON.parse('{"json_class":"foo"}')['json_class']
>     EOF
>     Outputs: "foo"
> 

This is the same behavior I get from the wheezy's version.

% cat <<EOF | ruby1.9.1
require 'json'
p JSON.parse('{"json_class":"foo"}')['json_class']
EOF
"foo"

Actually, I had to backport more code from wheezy.

> I just wonder if there could be any code out there that relies on the
> first version throwing NameError and if we'd need to mention this in the
> DLA?

For the moment, I have been unable to find any code or to throw the
NameError.
Moreover, I've realised that the test_json_rails results on 4 failures
from 7 tests. But json/add/rails.rb was removed before the wheezy
version. What do you think? Maybe we could find a more suitable
solution?

Cheers,

Santiago

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Ruby 1.9.1 Squeeze package for test
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Ruby 1.9.1 Squeeze package for test
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: Ruby 1.9.1 Squeeze package for test
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: squeeze update of t1utils?
Next by Date: Re: Ruby 1.9.1 Squeeze package for test
Previous by thread: Re: Ruby 1.9.1 Squeeze package for test
Next by thread: Re: Ruby 1.9.1 Squeeze package for test
Index(es):
- Date
- Thread