On Thu, 22 Apr 2010 17:48:28 +0200 Lucas Nussbaum wrote: > On 06/03/10 at 15:47 -0500, Michael Gilbert wrote: > > Package: ruby1.9 > > Version: 1.9.0.5-1 > > Severity: serious > > Tags: security > > > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for ruby1.9. Note this was fixed in 1.9.1, and it isn't > > really clear whether it affects 1.9. I can't find enough info to say > > either way. Please check. > > > > CVE-2009-4124[0]: > > | Heap-based buffer overflow in the rb_str_justify function in string.c > > | in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to > > | execute arbitrary code via unspecified vectors involving (1) > > | String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of > > | these details are obtained from third party information. > > > > If you fix the vulnerability please also make sure to include the > > CVE id in your changelog entry. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124 > > http://security-tracker.debian.org/tracker/CVE-2009-4124 > > Hi Michael, > > The version of ruby1.9 in lenny seems to be affected. Ruby1.9 is no > longer available in unstable. I'm tempted to just ignore that bug (the > patch from 1.9.1 doesn't apply to 1.9.0).
this seems like a rather severe bug to ignore (arbitrary code execution). do you have a link to the patch? i still don't see it, but i've only quickly scanned mitre's links. perhaps someone else would be able to backport it. > Ruby 1.9 is a development branch of Ruby, I don't think that anybody > uses it for anything serious. should it be removed from lenny also? cc'ing security team for their input. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
