Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Mon, 30 Jun 2008 17:10:12 -0400
From: Jamie Strandboge <jamie@...onical.com>
To: Robert Buchholz <rbu@...too.org>
Cc: vendor-sec@....de, oss-security@...ts.openwall.com
Subject: Re: [vendor-sec] Re: patch sets for recent ruby vulnerabilities

On Sun, 29 Jun 2008, Robert Buchholz wrote:

> On Thursday 26 June 2008, Jamie Strandboge wrote:
> > ----- Forwarded message from Shugo Maeda <security@...y-lang.org>
> > -----
> >
> > Date: Thu, 26 Jun 2008 12:16:52 +0900
> > From: Shugo Maeda <security@...y-lang.org>
> > To: Jamie Strandboge <jamie@...onical.com>
> > Cc: security@...ntu.com
> > Subject: Re: patch sets for recent ruby vulnerabilities
> >
> > Hello,
> >
> > 2008/6/25 Jamie Strandboge <jamie@...onical.com>:
> > >> ------------------------------------------------------------------
> > >>------ r17530 | nobu | 2008-06-22 07:16:45 +0900 (Sun, 22 Jun 2008)
> > >> | 2 lines Changed paths:
> > >>    M /branches/ruby_1_8/ChangeLog
> > >>    M /branches/ruby_1_8/string.c
> > >>
> > >> * string.c (str_buf_cat): check for self concatenation.
> > >
> > > Without having dived into the code yet, is this the fix for the
> > > regressions with rails and others?
> >
> > No, it's not.
> > The following commit may be the cause of the problems with Rails.
> >
> > ---------------------------------------------------------------------
> >--- r15856 | matz | 2008-03-30 00:47:54 +0900 (Sun, 30 Mar 2008) | 2
> > lines Changed paths:
> >    M /branches/ruby_1_8/ChangeLog
> >    M /branches/ruby_1_8/class.c
> >
> > * class.c (clone_method): should copy cref as well.
> >   [ruby-core:15833]
> 
> 
> Thanks for the info, one of our Ruby maintainers confirmed that 
> reverting this patch lets the test suite run through without errors.
> Did your email contact with Ruby folks yield an information whether they 
> plan to fix it for the 1.8 branch, or do they rely on distributions to 
> ship reverts of the commit if they care about older Rails?
> 
They did not say, however, this patch is not part of the security
patchsets as detailed by Drew Yao or upstream Ruby, so we ommitted it.

> Also, there was a similar thread on oss-security, you posting the 
> information there would probably be appreciated.
> 
Ah yes, meant to do that. Done.

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux