El 26/06/15 a las 12:03, Guido Günther escribió: > Hi Santiago, Hi Guido,
Thanks for reviewing! > On Wed, Jun 24, 2015 at 10:16:08PM +0200, Santiago Ruano Rincón wrote: > > Hi there, > > > > I've prepared a ruby 1.9.1 package to fix the two open CVEs > > CVE-2012-5371 and CVE-2013-0269. As usual, test are more than welcome. > > The package is available at the repository: > > > > deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/ > > > > Debdiff against current package attached. > > > > Cheers, > > > > Santiago > > ... > > diff -Nru ruby1.9.1-1.9.2.0/debian/patches/series > > ruby1.9.1-1.9.2.0/debian/patches/series > > --- ruby1.9.1-1.9.2.0/debian/patches/series 2015-05-30 19:47:58.000000000 > > +0200 > > +++ ruby1.9.1-1.9.2.0/debian/patches/series 2015-06-23 22:44:07.000000000 > > +0200 > > @@ -68,3 +68,5 @@ > > > > #XXX todo: CVE-2012-5371 > > #XXX todo: CVE-2013-0269 > > Minor nitpick: I think these can be dropped now that the CVEs are > fixed. > Ok > Apart from that I noticed this behaviour change due to the fix for > CVE-2013-0269 (based on [1]): > > Squeeze version: > # cat <<EOF | ruby1.9.1 > > require 'json' > p JSON.parse('{"json_class":"foo"}')['json_class'] > EOF > Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?': > wrong constant name foo (NameError) > from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get' > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each' > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject' > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get' > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse' > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse' > from -:2:in `<main>' > > Your fixed version: > > # cat <<EOF | ruby1.9.1 > require 'json' > p JSON.parse('{"json_class":"foo"}')['json_class'] > EOF > Outputs: "foo" > This is the same behavior I get from the wheezy's version. % cat <<EOF | ruby1.9.1 require 'json' p JSON.parse('{"json_class":"foo"}')['json_class'] EOF "foo" Actually, I had to backport more code from wheezy. > I just wonder if there could be any code out there that relies on the > first version throwing NameError and if we'd need to mention this in the > DLA? For the moment, I have been unable to find any code or to throw the NameError. Moreover, I've realised that the test_json_rails results on 4 failures from 7 tests. But json/add/rails.rb was removed before the wheezy version. What do you think? Maybe we could find a more suitable solution? Cheers, Santiago
signature.asc
Description: Digital signature