Bug#796344: CVE-2009-5147

2016-06-07 Thread Petter Reinholdtsen
[Moritz Mühlenhoff] > Does that also include the regression fix from CVE-2015-7551? No, it did not. I had a look and pulled https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a to fix this one. I will include it too in the upload, just need to check with the release

Bug#796344: CVE-2009-5147

2016-06-06 Thread Christian Hofstaedtler
* Petter Reinholdtsen [160606 15:27]: > Thank you very much!. But the second fail with ruby2.1 today: > cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed > (SecurityError) [..] > How come? Ah. Maybe that was my demonstration program of what should have

Bug#796344: CVE-2009-5147

2016-06-06 Thread Petter Reinholdtsen
[Christian Hofstaedtler] > I'm attaching two test programs that both raise a SecurityError on > ruby2.2 in sid, but run through on ruby2.1 in jessie. They only > cover two Fiddle cases, and no DL cases, though. Thank you very much!. But the second fail with ruby2.1 today: % for f in *; do

Bug#796344: CVE-2009-5147

2016-06-06 Thread Petter Reinholdtsen
Control: unarchive -1 [Christian Hofstaedtler 2016-01-03] >> According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >> >, >> this issue is fixed in squeeze but not wheezy and jessie. Are anyone working >> on a update to stable? > > Sorry, even tough this should be easy to do,

Bug#796344: CVE-2009-5147

2016-06-06 Thread Christian Hofstaedtler
* Petter Reinholdtsen [160606 14:01]: > But I would love to figure out a way to verify that the fix really is working > before I upload. Anyone got a clue to spare there? I'm attaching two test programs that both raise a SecurityError on ruby2.2 in sid, but run through on

Bug#796344: CVE-2009-5147

2016-01-02 Thread Petter Reinholdtsen
[Christian Hofstaedtler] > In 2.1 branch, the fix is in this commit: > > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >, this issue is fixed in squeeze but not wheezy and jessie. Are anyone

Bug#796344: CVE-2009-5147

2016-01-02 Thread Christian Hofstaedtler
* Petter Reinholdtsen [160102 10:30]: > [Christian Hofstaedtler] > > In 2.1 branch, the fix is in this commit: > > > > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a > > According to https://security-tracker.debian.org/tracker/CVE-2009-5147 > >, >

Bug#796344: CVE-2009-5147

2015-12-16 Thread Christian Hofstaedtler
Control: retitle -1 CVE-2015-7551 Control: found -1 2.1.5-2+deb8u2 https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/

Bug#796344: CVE-2009-5147

2015-12-16 Thread Christian Hofstaedtler
In 2.1 branch, the fix is in this commit: https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a

Bug#796344: CVE-2009-5147

2015-08-21 Thread Moritz Muehlenhoff
Package: ruby2.1 Version: 2.1.5-4 Severity: important Tags: security This has been assigned CVE-2009-5147: http://seclists.org/oss-sec/2015/q3/222 Cheers, Moritz