Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jul 2014 17:16:25 +0200
From: Tomas Hoger <>
To: Ramon de C Valle <>
Cc: "" <>,
        "" <>,
        "" <>
Subject: Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019]
 [Open] segmentation fault/buffer overrun in pack.c (encodes)

On Tue, 15 Jul 2014 15:10:05 +0000 Ramon de C Valle wrote:

> > First, we don't know what "The same sample works under 1.9.3" means.
> > It might mean "The same AWS sample is also a working vulnerability
> > reproducer when using Ruby 1.9.3." It might instead mean "With this
> > AWS sample, my program works normally when using Ruby 1.9.3; in
> > other words, no vulnerability is observed.”
> It meant that his sample worked normally when he used Ruby 1.9.3. (I
> assumed this because the version he specified as containing the bug
> in the report was Ruby 2.1, and specified Ruby 2.0 as requiring
> backport, but not Ruby 1.9.3.)

It's reasonable to assume that reporter did not touch the "Backport:"
field at all.  The issue was reported for ruby 2.1.2p168 (see the "ruby
-v" field).  Backport value was original set to:

  2.0.0: UNKNOWN, 2.1: UNKNOWN

which happens to be the default value pre-filed into the field for you
by the bug tracker when you try create a new issue.  You can easily
check by visiting:

All changes from UNKNOWN to REQUIRED were not done by the reporter, as
you can see from the bug comments.

I don't think you can draw the conclusion based on the Backport field.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.