Bug#690502: unblock: ruby1.8/1.8.7.358-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#690502: unblock: ruby1.8/1.8.7.358-5
From: Antonio Terceiro <terceiro@debian.org>
Date: Sun, 14 Oct 2012 20:34:41 -0300
Message-id: <[🔎] 20121014233441.GA8719@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 690502@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby1.8

Version 1.8.7.358-5, just uploaded into unstable, includes a fix for
CVE-2012-4381 (Debian bug #689945).

Attached you will find a debdiff between the version in wheezy and this
one.

unblock ruby1.8/1.8.7.358-5

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog
--- ruby1.8-1.8.7.358/debian/changelog	2012-06-02 07:34:01.000000000 -0300
+++ ruby1.8-1.8.7.358/debian/changelog	2012-10-14 19:46:41.000000000 -0300
@@ -1,3 +1,10 @@
+ruby1.8 (1.8.7.358-5) unstable; urgency=high
+
+  * added debian/patches/CVE-2012-4481.patch to fix CVE-2012-4481
+    (Closes: #689945)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sun, 14 Oct 2012 19:45:52 -0300
+
 ruby1.8 (1.8.7.358-4) unstable; urgency=low
 
   * debian/rules: avoid running DRB tests, since they crash and leave runaway
diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2012-4481.patch ruby1.8-1.8.7.358/debian/patches/CVE-2012-4481.patch
--- ruby1.8-1.8.7.358/debian/patches/CVE-2012-4481.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby1.8-1.8.7.358/debian/patches/CVE-2012-4481.patch	2012-10-14 19:45:15.000000000 -0300
@@ -0,0 +1,18 @@
+Description: avoid breaking safefity in strings passed to Exception#to_s
+ Fixes CVE-2012-4481
+Bug-Debian: http://bugs.debian.org/689945
+Origin: http://seclists.org/oss-sec/2012/q4/22
+Reviewed-By: Antonio Terceiro <terceiro@debian.org>
+
+--- ruby1.8-1.8.7.358.orig/error.c
++++ ruby1.8-1.8.7.358/error.c
+@@ -665,9 +665,6 @@ name_err_to_s(exc)
+ 
+     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+     StringValue(str);
+-    if (str != mesg) {
+-	OBJ_INFECT(str, mesg);
+-    }
+     return str;
+ }
+ 
diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series
--- ruby1.8-1.8.7.358/debian/patches/series	2012-05-27 10:59:27.000000000 -0300
+++ ruby1.8-1.8.7.358/debian/patches/series	2012-10-14 19:43:03.000000000 -0300
@@ -13,3 +13,4 @@
 110703_CVE-2011-0188.patch
 tcltk-no-rpath.patch
 use-ldflags.patch
+CVE-2012-4481.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#690502: marked as done (unblock: ruby1.8/1.8.7.358-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#690501: unblock: loadlin/1.6f-1
Next by Date: Bug#689579: unblock: dvi2ps-fontdesc-morisawa5/0.5
Previous by thread: Bug#690501: marked as done (unblock: loadlin/1.6f-1)
Next by thread: Bug#690502: marked as done (unblock: ruby1.8/1.8.7.358-5)
Index(es):
- Date
- Thread