Your message dated Sun, 07 Oct 2012 12:29:44 +0200 with message-id <50715998.9050204@dogguy.org> and subject line Re: Bug#689839: unblock: ruby1.9.1/1.9.3.194-2 has caused the Debian Bug report #689839, regarding unblock: ruby1.9.1/1.9.3.194-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 689839: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689839 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ruby1.9.1/1.9.3.194-2
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Sat, 6 Oct 2012 18:17:00 -0300
- Message-id: <[🔎] 20121006211700.GA11480@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby1.9.1 I've just uploaded ruby1.9.1/1.9.3.194-2 to unstable. It contains a security fix for CVE-2011-1005, which closes Debian bug #689075. Attached you will find a debdiff against the version currently in wheezy. unblock ruby1.9.1/1.9.3.194-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2012-06-02 08:10:26.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/changelog 2012-10-06 16:29:43.000000000 -0300 @@ -1,3 +1,12 @@ +ruby1.9.1 (1.9.3.194-2) unstable; urgency=low + + * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream; + fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x + series (Closes: #689075). Thanks to Tyler Hicks <tyhicks@canonical.com> + for reporting the issue. + + -- Antonio Terceiro <terceiro@debian.org> Sat, 06 Oct 2012 16:29:42 -0300 + ruby1.9.1 (1.9.3.194-1) unstable; urgency=low [ Lucas Nussbaum ] diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch --- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 2012-10-02 10:06:08.000000000 -0300 @@ -0,0 +1,93 @@ +Description: Prevent untainted strings from being incorrectly tainted + This flaw allowed untainted strings to be tainted and modified, even in + safe level 4. +Origin: upstream +--- a/error.c ++++ b/error.c +@@ -569,7 +569,6 @@ exc_to_s(VALUE exc) + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + r = rb_String(mesg); +- OBJ_INFECT(r, exc); + return r; + } + +@@ -853,11 +852,7 @@ name_err_to_s(VALUE exc) + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); +- if (str != mesg) { +- rb_iv_set(exc, "mesg", mesg = str); +- } +- OBJ_INFECT(mesg, exc); +- return mesg; ++ return str; + } + + /* +@@ -988,7 +983,6 @@ name_err_mesg_to_str(VALUE obj) + args[2] = d; + mesg = rb_f_sprintf(NAME_ERR_MESG_COUNT, args); + } +- OBJ_INFECT(mesg, obj); + return mesg; + } + +--- a/test/ruby/test_exception.rb ++++ b/test/ruby/test_exception.rb +@@ -333,4 +333,55 @@ end.join + load(t.path) + end + end ++ ++ def test_to_s_taintness_propagation ++ for exc in [Exception, NameError] ++ m = "abcdefg" ++ e = exc.new(m) ++ e.taint ++ s = e.to_s ++ assert_equal(false, m.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ assert_equal(false, s.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ end ++ ++ o = Object.new ++ def o.to_str ++ "foo" ++ end ++ o.taint ++ e = NameError.new(o) ++ s = e.to_s ++ assert_equal(false, s.tainted?) ++ end ++ ++ # CVE-2011-1005 ++ def test_exception_to_s_should_not_propagate_untrustedness ++ favorite_lang = "Ruby" ++ ++ for exc in [Exception, NameError] ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ exc.new(favorite_lang).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ end ++ ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ o = Object.new ++ o.singleton_class.send(:define_method, :to_str) { ++ favorite_lang ++ } ++ NameError.new(o).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ ++ assert_equal("Ruby", favorite_lang) ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 19:46:34.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-30 17:40:56.000000000 -0300 @@ -16,3 +16,4 @@ 110829-hurd_dirent_usage.patch hurd-path-max.diff 20120517-r35434.patch +20120927-cve_2011_1005.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Antonio Terceiro <terceiro@debian.org>, 689839-done@bugs.debian.org
- Subject: Re: Bug#689839: unblock: ruby1.9.1/1.9.3.194-2
- From: Mehdi Dogguy <mehdi@dogguy.org>
- Date: Sun, 07 Oct 2012 12:29:44 +0200
- Message-id: <50715998.9050204@dogguy.org>
- In-reply-to: <[🔎] 20121006211700.GA11480@debian.org>
- References: <[🔎] 20121006211700.GA11480@debian.org>
On 06/10/2012 23:17, Antonio Terceiro wrote: > Package: release.debian.org Severity: normal User: > release.debian.org@packages.debian.org Usertags: unblock > > Please unblock package ruby1.9.1 > Unblocked. Regards, -- Mehdi Dogguy مهدي الدڤي
--- End Message ---