On Sun, Jun 28, 2015 at 02:12:48PM +0200, Santiago Ruano Rincón wrote: [..snip..] > > Apart from that I noticed this behaviour change due to the fix for > > CVE-2013-0269 (based on [1]): > > > > Squeeze version: > > # cat <<EOF | ruby1.9.1 > > > > require 'json' > > p JSON.parse('{"json_class":"foo"}')['json_class'] > > EOF > > Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?': > > wrong constant name foo (NameError) > > from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get' > > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each' > > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject' > > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get' > > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse' > > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse' > > from -:2:in `<main>' > > > > Your fixed version: > > > > # cat <<EOF | ruby1.9.1 > > require 'json' > > p JSON.parse('{"json_class":"foo"}')['json_class'] > > EOF > > Outputs: "foo" > > > > This is the same behavior I get from the wheezy's version. > > % cat <<EOF | ruby1.9.1 > require 'json' > p JSON.parse('{"json_class":"foo"}')['json_class'] > EOF > "foo" > > Actually, I had to backport more code from wheezy. > > > I just wonder if there could be any code out there that relies on the > > first version throwing NameError and if we'd need to mention this in the > > DLA? > > For the moment, I have been unable to find any code or to throw the > NameError. > Moreover, I've realised that the test_json_rails results on 4 failures > from 7 tests. But json/add/rails.rb was removed before the wheezy > version. What do you think? Maybe we could find a more suitable > solution?
Since this is in line with Wheezy (and upstream) I think the solution is fine but maybe we should mention the behaviour change in NEWS.Debian? Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150629114231.gc3...@bogon.m.sigxcpu.org