Ubuntu
ruby1.8 package

CVE-2012-4466

Bug #1077223 reported by Tyler Hicks on 2012-11-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ruby1.8 (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Ruby 1.8 was synced from Debian in raring but Debian isn't carrying the fix for CVE-2012-4466.

CVE References

2012-4466

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-11-09:

ruby1.8_1.8.7.358-6ubuntu1.debdiff Edit (4.1 KiB, text/plain)

With this debdiff, the build tests check out (as compared to without this debdiff):

-2191 tests, 1672448 assertions, 17 failures, 51 errors
+2192 tests, 1672452 assertions, 16 failures, 51 errors

and the tests in test-ruby1.8.py from lp:qa-regression-testing pass as expected.

Changed in ruby1.8 (Ubuntu):
status:	In Progress → Confirmed
assignee:	Tyler Hicks (tyhicks) → nobody

Revision history for this message

Micah Gersten (micahg) wrote on 2012-11-11:

Taking a look

Changed in ruby1.8 (Ubuntu):
assignee:	nobody → Micah Gersten (micahg)
status:	Confirmed → In Progress

Revision history for this message

Micah Gersten (micahg) wrote on 2012-11-11:

Uploaded to raring, thanks, please try to get this in Debian as well

Changed in ruby1.8 (Ubuntu):
assignee:	Micah Gersten (micahg) → nobody
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-11:

This bug was fixed in the package ruby1.8 - 1.8.7.358-6ubuntu1

---------------
ruby1.8 (1.8.7.358-6ubuntu1) raring; urgency=low

  * SECURITY UPDATE: Safe level bypass (LP: #1077223)
    - debian/patches/CVE-2012-4466.patch: Remove incorrect string taint in
      exception handling method. Based on upstream patch.
    - CVE-2012-4466
-- Tyler Hicks <email address hidden> Fri, 09 Nov 2012 14:56:55 -0800