On Fri, Jan 20, 2017 at 01:13:41AM +0100, Christian Hofstaedtler wrote: > Control: reassign -1 ruby2.1 > Control: found -1 2.1.5-2+deb8u3 > > Hi, > > * Moritz Muehlenhoff <j...@debian.org> [170120 00:05]: > > this has been assigned CVE-2016-2339: > > http://www.talosintelligence.com/reports/TALOS-2016-0034/ > > > > Patch is here: > > https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 > > If I'm reading all those right, this is actually fixed since 2.3.0; > this issue is likely open in 2.1.x. Reassigning.
Confirmed for 2.1.x, the POC in a jessie VM: $ ruby CVE-2016-2339.rb Start args array size : 1 increase size of array New args array size is : 11 *** Error in `ruby': free(): invalid next size (fast): 0x0000000000ea3590 *** Aborted It was confusing that TALOS report mentions that it was tested with 2.3.0 dev, but this might then be right, the above commit is included ongoing from 2.3.0. > For the TclTk issue, looks like this upstream patch: > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs > a patch. Thanks added the commit as well, and the fixed version to the tracker. I *think*, although a problem in the source, this might not rally need an update in jessie via a DSA, since the issue is incombination with cancel_eval which is supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would tend to just mark that one as no-dsa at least. Or do I miss something? Regards, Salvatore
