Bug#345728: libsafe 2.0.16 detects memory corruption in Ruby when running apt-listbugs script
Package: /usr/sbin/apt-listbug Version: 0.0.49 Severity: serious apt-listbugs causes libsafe libc calls to detect access violation Im not shure is it apt-listbug or ruby? I suppose interpretor should never allow, even buggy program, to crash or make the itnerpreter corrupt own stack/memory which could mean that ruby have security hole (assuming it is not fault of libsafe that is reporting a false-positive) so I report it as Ruby bug /usr/sbin/apt-listbugs list foo Reading package fields... 0% Reading package fields... Done Reading package status... 0% Reading package status... Done Retrieving bug reports... 0% [0/1]Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/bin/ruby1.8. uid=0 euid=0 pid=3139 Call stack: 0xb7f6541c /lib/libsafe.so.2.0.16 0xb7f658a2 /lib/libsafe.so.2.0.16 0xb7e98ac8 /usr/lib/libruby1.8.so.1.8.4 0xb7e9976e /usr/lib/libruby1.8.so.1.8.4 0xb7ea90ad /usr/lib/libruby1.8.so.1.8.4 0xb7eb7c5e /usr/lib/libruby1.8.so.1.8.4 0xb7ebd811 /usr/lib/libruby1.8.so.1.8.4 0xb7e92ca7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7ea0fba /usr/lib/libruby1.8.so.1.8.4 0xb7ea2421 /usr/lib/libruby1.8.so.1.8.4 0xb7e982b5 /usr/lib/libruby1.8.so.1.8.4 0xb7eba091 /usr/lib/libruby1.8.so.1.8.4 0xb7eba22e /usr/lib/libruby1.8.so.1.8.4 0xb7e92ca7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b5b7 /usr/lib/libruby1.8.so.1.8.4 0xb7ea6438 /usr/lib/libruby1.8.so.1.8.4 0xb7e9bcf8 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b5b7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9a51e /usr/lib/libruby1.8.so.1.8.4 0xb7ea0fba /usr/lib/libruby1.8.so.1.8.4 0xb7e9b969 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d0ee /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9b438 /usr/lib/libruby1.8.so.1.8.4 0xb7e9b752 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b5b7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9b3cb /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7ea0fba /usr/lib/libruby1.8.so.1.8.4 0xb7ea2421 /usr/lib/libruby1.8.so.1.8.4 0xb7e80b9a /usr/lib/libruby1.8.so.1.8.4 0xb7e92c9b /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9b890 /usr/lib/libruby1.8.so.1.8.4 0xb7e9cba9 /usr/lib/libruby1.8.so.1.8.4 0xb7ea0fba /usr/lib/libruby1.8.so.1.8.4 0xb7eaa8b4 /usr/lib/libruby1.8.so.1.8.4 0xb7e92cbd /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9f0ea /usr/lib/libruby1.8.so.1.8.4 0xb7e9f131 /usr/lib/libruby1.8.so.1.8.4 0xb7e92ca7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9b438 /usr/lib/libruby1.8.so.1.8.4 0xb7ea0fba /usr/lib/libruby1.8.so.1.8.4 0xb7ea2421 /usr/lib/libruby1.8.so.1.8.4 0xb7eb3a1d /usr/lib/libruby1.8.so.1.8.4 0xb7eb2cdd /usr/lib/libruby1.8.so.1.8.4 0xb7efc9c5 /usr/lib/libruby1.8.so.1.8.4 0xb7eb2e14 /usr/lib/libruby1.8.so.1.8.4 0xb7e982b5 /usr/lib/libruby1.8.so.1.8.4 0xb7eb2e8b /usr/lib/libruby1.8.so.1.8.4 0xb7eb3a4f /usr/lib/libruby1.8.so.1.8.4 0xb7e92c9b /usr/lib/libruby1.8.so.1.8.4 0xb7e9dbc7 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9a5c3 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e386 /usr/lib/libruby1.8.so.1.8.4 0xb7e9e70d /usr/lib/libruby1.8.so.1.8.4 0xb7e9b4a4 /usr/lib/libruby1.8.so.1.8.4 0xb7e9d57e /usr/lib/libruby1.8.so.1.8.4 0xb7e9b752 /usr/lib/libruby1.8.so.1.8.4 0xb7e9cba9 /usr/lib/libruby1.8.so.1.8
Bug#345728: libsafe 2.0.16 detects memory corruption in Ruby when running apt-listbugs script
reassign 345728 libruby1.8 severity 345728 important tags 345728 moreinfo thanks On Tue, Jan 03, 2006 at 07:33:29AM +0100, Rafal Maj wrote: > apt-listbugs causes libsafe libc calls to detect access violation > Im not shure is it apt-listbug or ruby? > I suppose interpretor should never allow, even buggy program, to crash > or make the itnerpreter corrupt own stack/memory which could mean that > ruby have security hole (assuming it is not fault of libsafe that is > reporting a false-positive) Please provide evidence of the actual bug in ruby which would be exploitable during normal operation and warrant an RC severity. There have been other bug reports involving libsafe which it has been suggested are libsafe bugs, *not* bugs in the application. For a tool whose job it is to identify overflow bugs in applications, so far the libsafe backtraces I've seen have been pretty damn useless for debugging. > so I report it as Ruby bug You didn't; you reported it as a bug against "/usr/bin/apt-listbug", which is invalid. Reassigning to the libruby1.8 package, since that's apparently where it belongs. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#345728: libsafe 2.0.16 detects memory corruption in Ruby when running apt-listbugs script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve Langasek wrote: | Please provide evidence of the actual bug in ruby which would be exploitable | during normal operation and warrant an RC severity. There have been other | bug reports involving libsafe which it has been suggested are libsafe bugs, | *not* bugs in the application. Perhaps that is the case, I dont know howto provide such information so maybe severity level should be lowered, or rather it should be moved to safelib. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDuidujs40vfLccrERAjNZAJwNNrMKYW/KQ/FdsD2vBZtrQsqc0QCZAQsI OaRU+OTKoH+9rH0rRQvw2Zw= =W2Hj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]