Ubuntu
ruby1.8 package

ruby1.8: [CAN-2005-2337] safe mode bypass

Bug #23460 reported by Debian Bug Importer on 2005-10-08

Affects		Status	Importance	Assigned to	Milestone
	ruby1.8 (Debian)	Fix Released	Unknown	debbugs #332742
	ruby1.8 (Ubuntu)	Fix Released	High	Martin Pitt

Bug Description

Automatically imported from Debian bug report #332742 http://bugs.debian.org/332742

See original description

CVE References

2005-2337

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-08:

Automatically imported from Debian bug report #332742 http://bugs.debian.org/332742

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-08:

Message-ID: <email address hidden>
Date: Sat, 8 Oct 2005 11:22:00 +0200
From: Martin Pitt <email address hidden>
To: Debian BTS Submit <email address hidden>
Cc: <email address hidden>
Subject: ruby1.8: [CAN-2005-2337] safe mode bypass

--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: ruby1.8
Version: 1.8.2-9
Severity: grave
Tags: security patch

Hi!

There is a safe mode bypass in all Ruby versions:

http://www.ruby-lang.org/en/20051003.html

This page also contains a patch (which does not apply perfectly since
the XMLRPC issue is already fixed, but for eval.c it applies fine).

This has been assigned CAN-2005-2337, please mention this number in
the changelog when you fix this.

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org

--9zSXsLTf0vkW971A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDR4+3DecnbV4Fd/IRArvTAJ9C3weP3PiKAeQib8TOYeoJDnS37wCfWoIQ
ATmuXKemFTPWqB95mzqHG4Q=
=WpUw
-----END PGP SIGNATURE-----

--9zSXsLTf0vkW971A--

Revision history for this message

In Debian Bug tracker #332742, akira yamada (akira) wrote on 2005-10-08: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass

Martin Pitt wrote:
> There is a safe mode bypass in all Ruby versions:

I already prepared the new package and
sent a notice to security team.

But I cannot yet get DSA....

--
akira yamada

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-08:

Message-ID: <email address hidden>
Date: Sat, 08 Oct 2005 22:04:49 +0900
From: akira yamada <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass

Martin Pitt wrote:
> There is a safe mode bypass in all Ruby versions:

I already prepared the new package and
sent a notice to security team.

But I cannot yet get DSA....

--
akira yamada

Revision history for this message

Lucas Nussbaum (lucas) wrote on 2005-10-10:

This would be fixed by upgrading ruby to 1.8.3, which would solve other bugs too.

Revision history for this message

In Debian Bug tracker #332742, Tomas Pospisek (tpo) wrote on 2005-10-13: can be closed: ruby1.8: [CAN-2005-2337] safe mode bypass

Hello Akira,

I think http://bugs.debian.org/332742 can be closed since the Debian
security team issued a DSA today [1].

Greets,
*t

[1] http://www.debian.org/security/2005/dsa-864

--
--------------------------------------------------------
Tomas Pospisek
http://sourcepole.com - Linux & Open Source Solutions
--------------------------------------------------------

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-13:

Message-ID: <Pine.LNX.4.63.0510131155520.2088@localhost>
Date: Thu, 13 Oct 2005 12:02:38 +0200 (CEST)
From: Tomas Pospisek <email address hidden>
To: <email address hidden>
cc: <email address hidden>
Subject: can be closed: ruby1.8: [CAN-2005-2337] safe mode bypass

Hello Akira,

I think http://bugs.debian.org/332742 can be closed since the Debian
security team issued a DSA today [1].

Greets,
*t

[1] http://www.debian.org/security/2005/dsa-864

--
--------------------------------------------------------
Tomas Pospisek
http://sourcepole.com - Linux & Open Source Solutions
--------------------------------------------------------

Revision history for this message

In Debian Bug tracker #332742, akira yamada (akira) wrote on 2005-10-19: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass

DSA-864 was published.

Revision history for this message

Martin Pitt (pitti) wrote on 2005-10-19:

Our ruby1.8 packages were fixed in USN-195-1.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-19:

#10

Message-ID: <email address hidden>
Date: Wed, 19 Oct 2005 19:25:20 +0900
From: akira yamada <email address hidden>
To: Martin Pitt <email address hidden>,
<email address hidden>
Subject: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass

DSA-864 was published.

Revision history for this message

In Debian Bug tracker #332742, Filipus Klutiero (ido) wrote on 2005-10-24: Version closing

#11

close 332742 1.8.3-1
close 332742 1.8.2-7sarge2
thanks

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-24:

#12

Message-ID: <email address hidden>
Date: Mon, 24 Oct 2005 03:13:09 -0400
From: Filipus Klutiero <email address hidden>
To: <email address hidden>
Subject: Version closing

close 332742 1.8.3-1
close 332742 1.8.2-7sarge2
thanks

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #332742
[done grave patch security] Edit
ubuntu-bugzilla #17289 Edit

Bug watches keep track of this bug in other bug trackers.

Ubunturuby1.8 package

ruby1.8: [CAN-2005-2337] safe mode bypass

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
ruby1.8 package