Forum: Typo Which versions of Ruby work with Typo 5.1.2?

Does anyone have Typo running with a version of Ruby more recent than
1.8.6-p114?  This version has known vulnerabilities, as reported here:

http://www.ruby-lang.org/en/news/2008/06/20/arbitr...

I've tried with all the most recent versions of Ruby 1.8 -- 1.8.7-p22,
1.8.6-p230 and 1.8.5-p231 -- but these all seem to cause Typo to crash
in one place or another (the crash with 1.8.7-p22 is documented as Issue
1243 [1]).  I'm using Rails 2.0.2 and mysql gem 2.7.

I'd really like to use Typo, but am reluctant to do so if it can only be
run insecurely.

[1] http://typosphere.org/projects/typo/issues

I'd like to know as well. I'm running 1.8.6p114. I haven't heard of
any newer versions being stable.

On Mon, Aug 4, 2008 at 6:25 PM, Geoffrey Sisson

On Tue, Aug 5, 2008 at 2:25 AM, Geoffrey Sisson
<ruby-forum-incoming@andreas-s.net> wrote:
> I'd really like to use Typo, but am reluctant to do so if it can only be
> run insecurely.

I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven't any problem. All 
works

Cyril Mougel wrote:

> I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven't any problem. All 
> works

Cyril, are you using Rails 2.0.2?

When I use Ruby 1.8.6-p230 and Rails 2.0.2 and then create a new 
instance of Typo, the resulting dispatch.cgi crashes immediately upon 
invocation:

$ ./dispatch.cgi
*** glibc detected *** ruby: free(): invalid pointer: 0x085510d0 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7d6f4f4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7d716f6]
/usr/lib/libruby.so.1.8[0xb7f0dc4c]
[snip]


I'm running on Debian GNU/Linux 4.0r4 (etch), FWIW.

On Tue, Aug 5, 2008 at 11:05 AM, Geoffrey Sisson
<ruby-forum-incoming@andreas-s.net> wrote:
> Cyril Mougel wrote:
>
>> I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven't any problem. All
>> works
>
> Cyril, are you using Rails 2.0.2?

Yes, it's with rails freeze in Typo.

> /usr/lib/libruby.so.1.8[0xb7f0dc4c]
> [snip]
>
>
> I'm running on Debian GNU/Linux 4.0r4 (etch), FWIW.

I use mongrel and I am a Gentoo.

Geoffrey Sisson wrote:
> Does anyone have Typo running with a version of Ruby more recent than
> 1.8.6-p114?

Rails 2.0.2 does not work with Ruby 1.8.7.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484351 for details.
There's a git repository with backported fixes from Rails 2.1 here:
http://git.debian.org/?p=users/terceiro-guest/rail...

I used that source to recreate some of the gems (I don't really
understand Rails' build system), and now have working 2.0.2 gems with
ruby 1.8.7.

Regards,
Matijs.

Le 5 août 08 à 15:07, Cyril Mougel a écrit :

> Yes, it's with rails freeze in Typo.
>> /lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7d716f6]
>> /usr/lib/libruby.so.1.8[0xb7f0dc4c]
>> [snip]
>>
>>
>> I'm running on Debian GNU/Linux 4.0r4 (etch), FWIW.
>
> I use mongrel and I am a Gentoo.


Hello,

first, sorry for not replying faster, I was in holliday and got
internet access only tonight. Trying to answer the pile of mails
that's waiting for me.

I'm currently using Ruby Enterprise Edition (the name really sucks),
which is developped by the guys from mod_rails. It fixes the ruby
security vuln while not breaking everything, which is just what I
needed.

Cheers,
Frédéric

--
Frédéric de Villamil
frederic@de-villamil.com                        tel: +33 (0)6 62 19 1337
http://fredericdevillamil.com             Typo : http://typosphere.org

de Villamil Frédéric wrote:

> first, sorry for not replying faster, I was in holliday and got
> internet access only tonight.

Thanks for the reply.  No apology needed.

> I'm currently using Ruby Enterprise Edition (the name really sucks),
> which is developped by the guys from mod_rails. It fixes the ruby
> security vuln while not breaking everything, which is just what I
> needed.

ruby-enterprise-1.8.6-20080709 works fine, thanks!

A warning to anyone who may try Ruby Enterprise: don't specify /usr 
(or/usr/local) as the target installation directory.  Otherwise 
installer.rb will run "sed" on all files in /usr/bin (or /usr/local/bin) 
and convert preexisting shell/Perl/Python/etc. scripts to Ruby scripts. 
I've sent a bug report Phusion.