diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog --- ruby1.8-1.8.7.358/debian/changelog 2012-10-31 17:20:28.000000000 -0700 +++ ruby1.8-1.8.7.358/debian/changelog 2012-11-09 14:57:00.000000000 -0800 @@ -1,3 +1,12 @@ +ruby1.8 (1.8.7.358-6ubuntu1) raring; urgency=low + + * SECURITY UPDATE: Safe level bypass (LP: #1077223) + - debian/patches/CVE-2012-4466.patch: Remove incorrect string taint in + exception handling method. Based on upstream patch. + - CVE-2012-4466 + + -- Tyler Hicks Fri, 09 Nov 2012 14:56:55 -0800 + ruby1.8 (1.8.7.358-6) unstable; urgency=high * Timeout the execution of the tests after 2 hours. This should fix the diff -Nru ruby1.8-1.8.7.358/debian/control ruby1.8-1.8.7.358/debian/control --- ruby1.8-1.8.7.358/debian/control 2012-10-31 14:08:23.000000000 -0700 +++ ruby1.8-1.8.7.358/debian/control 2012-11-07 19:05:06.000000000 -0800 @@ -1,7 +1,8 @@ Source: ruby1.8 Section: ruby Priority: optional -Maintainer: akira yamada +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: akira yamada Uploaders: Daigo Moriwaki , Lucas Nussbaum , Antonio Terceiro Build-Depends: cdbs (>= 0.4.106), debhelper (>= 5), autotools-dev, autoconf, m4, quilt (>= 0.40), patch, bison, binutils (>= 2.14.90.0.7), libgdbm-dev, libncurses5-dev, libreadline-gplv2-dev, tcl-dev, tk-dev, zlib1g-dev, libssl-dev (>= 0.9.6b), file, coreutils, gcc-4.6 Standards-Version: 3.9.2 diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2012-4466.patch ruby1.8-1.8.7.358/debian/patches/CVE-2012-4466.patch --- ruby1.8-1.8.7.358/debian/patches/CVE-2012-4466.patch 1969-12-31 16:00:00.000000000 -0800 +++ ruby1.8-1.8.7.358/debian/patches/CVE-2012-4466.patch 2012-11-09 14:32:03.000000000 -0800 @@ -0,0 +1,57 @@ +Description: Prevent untainted strings from being incorrectly tainted + This flaw allowed untainted strings to be tainted and modified, even in + safe level 4. + . + Also, backport the test case changes from the upstream patch, even though they + don't all directly related to CVE-2012-4466. +Origin: backport, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 +Index: ruby1.8-1.8.7.358/error.c +=================================================================== +--- ruby1.8-1.8.7.358.orig/error.c 2012-11-09 14:31:36.117984954 -0800 ++++ ruby1.8-1.8.7.358/error.c 2012-11-09 14:31:36.145984954 -0800 +@@ -754,7 +754,6 @@ + args[2] = d; + mesg = rb_f_sprintf(3, args); + } +- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg); + return mesg; + } + +Index: ruby1.8-1.8.7.358/test/ruby/test_exception.rb +=================================================================== +--- ruby1.8-1.8.7.358.orig/test/ruby/test_exception.rb 2012-11-09 14:30:15.217985346 -0800 ++++ ruby1.8-1.8.7.358/test/ruby/test_exception.rb 2012-11-09 14:31:36.145984954 -0800 +@@ -204,6 +204,32 @@ + o.taint + e = NameError.new(o) + s = e.to_s +- assert_equal(true, s.tainted?) ++ assert_equal(false, s.tainted?) ++ end ++ ++ def test_exception_to_s_should_not_propagate_untrustedness ++ favorite_lang = "Ruby" ++ ++ for exc in [Exception, NameError] ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ exc.new(favorite_lang).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ end ++ ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ o = Object.new ++ class << o; self; end.instance_eval { define_method(:to_str) { favorite_lang } } ++ NameError.new(o).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ ++ assert_equal("Ruby", favorite_lang) + end + end diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series --- ruby1.8-1.8.7.358/debian/patches/series 2012-10-14 15:43:03.000000000 -0700 +++ ruby1.8-1.8.7.358/debian/patches/series 2012-11-07 18:53:48.000000000 -0800 @@ -14,3 +14,4 @@ tcltk-no-rpath.patch use-ldflags.patch CVE-2012-4481.patch +CVE-2012-4466.patch