Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 69985
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Kurt Lieber <klieber@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 69985 depends on: Show dependency tree
Bug 69985 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-11-03 15:33 0000 
marking this as private for now.  
-----Forwarded Message-----
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby
Date: Wed, 03 Nov 2004 09:20:37 +0100

Moin everybody!

I don't know if some of you are also shipping a version of ruby
in your distributions.  We have received a report that the upstream
developers have corrected a problem that could be triggered remotely
and cause an infinite loop on the server, since it's the CGI module.

The patch is here:
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.23.2.17&r2=1.23.2.18

This problem is semi-public already (upstream cvs, Debian packages),
it may not be too useful to try a coordinated release, but if you
would like to, I could postpone the advisory a bit.

------- Comment #1 From Kurt Lieber 2004-11-03 15:35:04 0000 ------- 
ruby folks, could you please have a look at this?  Adding usata as an explicit
CC since I'm not sure he can see the bug, otherwise.

------- Comment #2 From Kurt Lieber 2004-11-04 04:55:50 0000 ------- 
Adding xavier so he can see the bug.

------- Comment #3 From Mamoru KOMACHI (RETIRED) 2004-11-04 06:32:30 0000 ------- 
I'll look into this problem (I get bugzilla mail from ruby alias).

------- Comment #4 From solar 2004-11-04 09:05:42 0000 ------- 
But now you can't see this bug or comment here anymore.

------- Comment #5 From Thierry Carrez (RETIRED) 2004-11-05 05:24:45 0000 ------- 
Putting individual names rather than aliases.

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-11-08 22:36:56 0000 ------- 
Debian published http://www.debian.org/security/2004/dsa-586. 

Ruby please provide a fixed ebuild.

------- Comment #7 From Mamoru KOMACHI (RETIRED) 2004-11-09 08:17:33 0000 ------- 
Thanks for readding me to this bug (I was not aware
that I was not able to revisit security bug).

I added ruby-1.6.8-r12 on 5 Nov, and agriffis added 
ruby-1.8.2_pre3 yesterday. Both versions contain the
fix by ruby upstream. I could make patched revisions
of <=ruby-1.8.2_pre2, but I would rather ask arch
devs to test 1.6.8-r12 and ruby-1.8.2_pre3 and mark
them stable.

------- Comment #8 From Sune Kloppenborg Jeppesen 2004-11-09 10:58:38 0000 ------- 
Arches please mark ruby-1.6.8-r1 and ruby-1.8.2_pre3 stable.

------- Comment #9 From Markus Rothe 2004-11-09 11:33:58 0000 ------- 
I cannot mark stable on ppc64: Won't compile:  [...] ./mkconfig.rb:142: syntax
error [...]  Markus

------- Comment #10 From Mamoru KOMACHI (RETIRED) 2004-11-09 12:33:21 0000 ------- 
Do you have cjk in USE?

------- Comment #11 From Ferris McCormick 2004-11-09 12:36:47 0000 ------- 
1.8.2_pre3 stable for sparc.  I cannot comment on 1.6.8-r1.

------- Comment #12 From Simon Stelling (RETIRED) 2004-11-09 12:59:18 0000 ------- 
1.8.2_pre3 and 1.6.8-r12 stable on amd64

------- Comment #13 From Sune Kloppenborg Jeppesen 2004-11-09 23:08:39 0000 ------- 
This is keyworded for ppc-macos, but that's not the arch alias. CC'ing kito and
ndimiduk

------- Comment #14 From Jochen Maes (RETIRED) 2004-11-09 23:39:01 0000 ------- 
stable on ppc (both)

greets

------- Comment #15 From Bryan Østergaard (RETIRED) 2004-11-10 01:42:34 0000 ------- 
Stable on alpha.

------- Comment #16 From Markus Rothe 2004-11-10 05:51:14 0000 ------- 
mhh.. mysterious.. I cannot reprocedure that error again.
dev-lang/ruby-1.8.2_pre3 is now stable on ppc64.

------- Comment #17 From Kito (RETIRED) 2004-11-10 08:34:15 0000 ------- 
stable on ppc-macos.

------- Comment #18 From Ferris McCormick 2004-11-11 05:06:31 0000 ------- 
1.6.8-r12 is also stable for sparc.  Builds, installs, and runs test cases as
expected.

------- Comment #19 From Olivier Crete 2004-11-11 07:34:44 0000 ------- 
x86 there

------- Comment #20 From Matthias Geerdsen 2004-11-11 07:37:51 0000 ------- 
security, pls vote on GLSA (since this is rated B3)

/me votes for a GLSA

at least Debian, Mandrake and Ubuntu have published advisories already

------- Comment #21 From Sune Kloppenborg Jeppesen 2004-11-11 08:20:31 0000 ------- 
I vote for a GLSA too.

------- Comment #22 From Hardave Riar (RETIRED) 2004-11-14 23:22:17 0000 ------- 
Stable on mips.

------- Comment #23 From Thierry Carrez (RETIRED) 2004-11-15 02:01:46 0000 ------- 
I vote YES too

------- Comment #24 From Thierry Carrez (RETIRED) 2004-11-16 02:01:03 0000 ------- 
GLSA 200411-23
arm hppa ia64: please mark stable to benefit from GLSA

------- Comment #25 From Thierry Carrez (RETIRED) 2004-11-16 02:03:40 0000 ------- 
s390 should also mark 1.8.2_pre3 stable

Ruby team : please clean up old vulnerable versions...
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug