[ruby-core:17431] Re: URGENT: Possible fixes for segfaults and vulnerabilities available for review in ruby-talk

< ^ > P N |<>|^_>< --- | ~ ...Help
Igal Koshevoy wrote:
> Federico Builes wrote:
>> I'm not sure how's the situation with most of these libraries but I 
>> was responsible for the REXML specs so let me chime in. P111 had a 
>> _really_ buggy REXML revision with several typos/small bugs that were 
>> (mostly) fixed in P114 so that might be a better target for 
>> compatibility (for that library at least).
> I'm glad you mentioned this. When I was talking about using a stable 
> p111, I mean the copy shipped with Ubuntu that's got 11 patches applied 
> to it, including the REXML fixes. It would be a worthwhile effort to 
> figure out what patches the various distros are using, making sure 
> they're providing a complete solution, and also ensuring that we're 
> incorporating these into the other solutions we've been throwing around.
> 
> Here's what some vendors are doing:
> 
> FreeBSD ports patches the vulnerability against p111:
>    http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/
> 
> Ubuntu 7.10 patches the vulnerability against p36:
>    
> https://launchpad.net/ubuntu/gutsy/+source/ruby1.8/1.8.6.36-1ubuntu3.2/+files/ruby1.8_1.8.6.36-1ubuntu3.2.diff.gz 
> 
> 
> Ubuntu 8.04 patches the vulnerability against p111:
>     
> https://launchpad.net/ubuntu/hardy/+source/ruby1.8/1.8.6.111-2ubuntu1.1/+files/ruby1.8_1.8.6.111-2ubuntu1.1.diff.gz 
> 
> 
> Fedora 9 patches the vulnerability against p230:
>    
> http://download.fedora.redhat.com/pub/fedora/linux/updates/9/SRPMS/ruby-1.8.6.230-2.fc9.src.rpm 
> 
> 
> RedHat Enterprise Linux 5.1, their latest, uses 1.8.5 and is vulnerable:
>    
> http://install.linux.duke.edu/pub/linux/updates/centos-5.1/SRPMS/ruby-1.8.5-5.el5_1.1.src.rpm 
> 
> 
> -igal
> 
> 
Gentoo is using 1.8.6-p114 with two patches:

>>>> Emerging (1 of 1) dev-lang/ruby-1.8.6_p114 to /
>  * ruby-1.8.6-p114.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                [ ok ]
>  * checking ebuild checksums ;-) ...                                      [ ok ]
>  * checking auxfile checksums ;-) ...                                     [ ok ]
>  * checking miscfile checksums ;-) ...                                    [ ok ]
>  * checking ruby-1.8.6-p114.tar.bz2 ;-) ...                               [ ok ]
>>>> Unpacking source...
>>>> Unpacking ruby-1.8.6-p114.tar.bz2 to /var/tmp/portage/dev-lang/ruby-1.8.6_p114/work
>  * Applying ruby-1.8.6-memory-leak.diff ...                               [ ok ]
>  * Applying ruby-1.8.6_p111-r13657.patch ...                              [ ok ]

Incidentally, Ruby 1.8.7 is in the Portage tree, but it's masked.