Re: Ruby 1.9.1 Squeeze package for test
On Sun, Jun 28, 2015 at 02:12:48PM +0200, Santiago Ruano Rincón wrote:
[..snip..]
> > Apart from that I noticed this behaviour change due to the fix for
> > CVE-2013-0269 (based on [1]):
> >
> > Squeeze version:
> > # cat <<EOF | ruby1.9.1
> > require 'json'
> > p JSON.parse('{"json_class":"foo"}')['json_class']
> > EOF
> > Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?': wrong constant name foo (NameError)
> > from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
> > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> > from -:2:in `<main>'
> >
> > Your fixed version:
> >
> > # cat <<EOF | ruby1.9.1
> > require 'json'
> > p JSON.parse('{"json_class":"foo"}')['json_class']
> > EOF
> > Outputs: "foo"
> >
>
> This is the same behavior I get from the wheezy's version.
>
> % cat <<EOF | ruby1.9.1
> require 'json'
> p JSON.parse('{"json_class":"foo"}')['json_class']
> EOF
> "foo"
>
> Actually, I had to backport more code from wheezy.
>
> > I just wonder if there could be any code out there that relies on the
> > first version throwing NameError and if we'd need to mention this in the
> > DLA?
>
> For the moment, I have been unable to find any code or to throw the
> NameError.
> Moreover, I've realised that the test_json_rails results on 4 failures
> from 7 tests. But json/add/rails.rb was removed before the wheezy
> version. What do you think? Maybe we could find a more suitable
> solution?
Since this is in line with Wheezy (and upstream) I think the solution is
fine but maybe we should mention the behaviour change in NEWS.Debian?
Cheers,
-- Guido
Reply to: