From the description: Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions. 1) An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level. 2) An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams. The vulnerabilities have been reported in version 1.8.4 and prior. The current stable version for ruby in portage is 1.8.4-r3. It should be fixed in the upcoming 1.8.5 release. Regards, Alexander (eroyf)
Are we able to call arches atm?
Ruby team : is 1.8.4.20060529 or 1.8.5pre1 a suitable stable target ?
I wouldn't call either of those versions good to recommend. I'd like to see if we can't patch 1.8.4 somehow first. A 1.8.5 final (or _rc2 or something) should be released in the next few days, but I'm not 100% trusting of it yet.
OK, let's wait for 1.8.5 rc2 or release.
Upstream snapshot should be released, is that one suitable?
1.8.5 is in portage, but I'm still not 100% on it being stable yet.
Caleb should I call arches to test or wait a bit?
I'd like to give it at least 1 more week to make sure things are okay with everyone.
Caleb, one week has passed, is it ready for stable marking?
Yeah, I haven't seen any bugs opened in the past week, so I think we're okay to go.
Thx Caleb. Arches please test and mark stable. Target keywords are: ruby-1.8.5.ebuild:KEYWORDS="alpha amd64 arm ~hppa ia64 mips ppc ~ppc-macos ppc64 s390 sh sparc x86"
- emerges fine on amd64 - passes collision-test - passes multilib-strict - works Portage 2.1.2_pre1-r3 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-ck1 x86_64) ================================================================= System uname: 2.6.18-ck1 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.5 Last Sync: Tue, 26 Sep 2006 10:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO8859-1" LC_ALL="en_US.ISO8859-1" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa amr avi berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam firefox foomaticdb fortran gdbm gif glut gnutls gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly offensive ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection reiserfs rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp x264 xfs xine xinerama xml xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
amd64 aye
Sorry correct target keywords are: ruby-1.8.5.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ~ppc-macos ppc64 s390 sh sparc x86" Thx Gustavoz for noticing that.
ppc64 stable
1.) emerges fine on x86 2.) passes collision test 3.) fails test suite: 1) Failure: test_endblockwarn(TestBeginEndBlock) [./ruby/test_beginendblock.rb:54]: <"endblockwarn.rb:2: warning: END in method; use at_exit\n(eval):2: warning: END in method; use at_exit\n"> expected but was <"/var/tmp/portage/ruby-1.8.5/temp/TestBeginEndBlock.14018.0:6: warning: Insecure world writable dir /var/tmp, mode 041777\nendblockwarn.rb:2: warning: END in method; use at_exit\n(eval):2: warning: END in method; use at_exit\n">. 1575 tests, 15663 assertions, 1 failures, 0 errors 4.) but works (tested with rails) emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686) ================================================================= System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.5 Last Sync: Tue, 26 Sep 2006 14:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
x86 stable with x86 at's help ^.^
Alpha is what people talk about! Actually, it is a pity that ruby tests are known to fail... - ferdy
hppa&&ppc stable
sparc stable.
security, please vote on issuing a GLSA
I abstain vote until we have a common understandig (see @security mail).
Compiles and works on my o2 (MIPS: r5000)
i tend to vote no security please vote
no and closing. Feel free to reopen if you disagree
and closing
