Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 106996

Summary: dev-lang/ruby: Safe-Level Security Bypass Vulnerability
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/16904/
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-09-23 07:07:28 UTC
1.8.3 is in Portage but is ~ on all arches
--------------------------------

Description:
A vulnerability has been reported in Ruby, which can be exploited by malicious
people to bypass certain security restrictions.

The vulnerability is due in an error in "eval.c" in enforcing safe-level
protections. This can be exploited to execute certain insecure methods.

The vulnerability has been reported in the following versions:
* Ruby version 1.6.8 and prior (old release).
* Ruby version 1.8.2 and prior (stable).
* Ruby version 1.9.0 2005-09-01 and prior (development).

Solution:
Ruby 1.8.x:
Update to version 1.8.3.
ftp://ftp.ruby-lang.org/pub/ruby/ruby-1.8.3.tar.gz
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-23 07:54:17 UTC
Ruby is 1.8.3 ready to be marked stable? 
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-27 00:08:15 UTC
Ruby please advise. 
Comment 3 rob holland (RETIRED) gentoo-dev 2005-09-27 01:06:16 UTC
As far as I know, it's not ready. I've seen several packages state they don't
work with 1.8.3 and I beleive this is due to bugs in that release.

I'm not an expert though...
Comment 4 Michael Kohl (RETIRED) gentoo-dev 2005-09-27 02:24:13 UTC
AFAIK clean_logger.rb from Activesupport/Rails doesn't work with 1.8.3
unpatched, but people seem to blame it on that file instead of Ruby itself. I
also believe that Caleb has added a patch to the Rails ebuild which deals with
this problem.

Some people also seem to have problems with the included openssl implementation,
but as far as I can see our Ruby build isn't concerned by this (the likely
problem is a missing openssl-devel package on the concerned distros, the joys of
binary).

Personally I'd vote for stabling 1.8.3, as from my POV the problems people have
with this release are mostly their fault.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-27 04:03:56 UTC
Arches please test and mark stable. 
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-09-27 04:54:19 UTC
Stable on hppa
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2005-09-27 05:25:47 UTC
Stable on sparc. For rails support, please upgrade dev-ruby/rubygems,
dev-ruby/activesupport.  Freeride, seems OK with 1.8.3; fxruby and my own tests
check out with no problems.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-27 09:33:56 UTC
Stable on ppc.
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2005-09-27 17:24:20 UTC
Works on x86.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-09-28 12:34:31 UTC
stable on ppc64
Comment 11 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-29 12:56:19 UTC
ruby-1.8.3 stable on alpha
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2005-09-30 12:41:32 UTC
stable on amd64, sorry for the delay
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 13:53:20 UTC
Ready for GLSA vote
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-10-01 03:39:33 UTC
CAN-2005-2337
I tend to vote yes.
Comment 15 Fabian Groffen gentoo-dev 2005-10-01 07:53:34 UTC
sorry for the delay.

ruby 1.8.3 doesn't compile on Panther (10.3) (missing autoconf 2.59)
ruby 1.8.3 is masked on Tiger (10.4) (collisions)

hence, best I could do it was to mask the older 1.8 versions on Panther also.
Comment 16 Hardave Riar (RETIRED) gentoo-dev 2005-10-01 17:35:06 UTC
Stable on mips.
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-01 18:10:35 UTC
ia64 stable.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-02 10:06:17 UTC
I tend to vote YES too. 
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 05:54:46 UTC
OK, let's have a GLSA then, since nobody else wants to vote.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 07:57:13 UTC
GLSA 200510-05 
  
arm, ppc-macos and s390 please remember to mark stable to benifit from the  
GLSA.  
Comment 21 Fabian Groffen gentoo-dev 2005-10-08 08:04:11 UTC
now solved for ppc-macos