--Signatureon__23_Jun_2008_15_33_52_+0400_/k8UCYdARUQYi
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, 23 Jun 2008 19:20:00 +0900
Igal Koshevoy <igal / pragmaticraft.com> mentioned:

> Ollivier Robert wrote:
> > Try this instead:
> > http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/
> 
> Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get 
> diffs" button is broken and always returns nothing. To get a diff on a 
> file, one must click the "text" next to the revision number.
> 
> FreeBSD's backported patch seems insufficient and vulnerable. I come to 
> this conclusion because they only modified two files (sprintf.c and 
> string.c) -- but the Ruby changelog for this fix mentions other files 
> (e.g., array.c), and Zed Shaw identifies about a dozen files potentially 
> involved in the fix at 
> http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
>

You're not fully correct. All the relevant changes were in array.c
and string.c sources, I've backported both.

I'm not aware of other security problems in the code.

I'll check the link later.

-- 
Stanislav Sedov
ST4096-RIPE

--Signatureon__23_Jun_2008_15_33_52_+0400_/k8UCYdARUQYi
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkhfiiAACgkQK/VZk+smlYF0NACfSkIDtCXSJX2ylr/6jPvUvvcO
RJwAn3hS4pDAdYCPNM/eRqpiOQ6YOyHq
mk
-----END PGP SIGNATURE-----

--Signatureon__23_Jun_2008_15_33_52_+0400_/k8UCYdARUQYi--