Ollivier Robert wrote:
> Try this instead:
> http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get 
diffs" button is broken and always returns nothing. To get a diff on a 
file, one must click the "text" next to the revision number.

FreeBSD's backported patch seems insufficient and vulnerable. I come to 
this conclusion because they only modified two files (sprintf.c and 
string.c) -- but the Ruby changelog for this fix mentions other files 
(e.g., array.c), and Zed Shaw identifies about a dozen files potentially 
involved in the fix at 
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

So we still need to come up with either a backport for one of the 
working versions of Ruby, or a fix to one of the currently released but 
broken versions.

I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of 
the potential security hole in their release and in hopes that they may 
join this discussion.

-igal
-- 
Posted via http://www.ruby-forum.com/.