Which versions of Ruby work with Typo 5.1.2?

Does anyone have Typo running with a version of Ruby more recent than
1.8.6-p114? This version has known vulnerabilities, as reported here:

http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

I’ve tried with all the most recent versions of Ruby 1.8 – 1.8.7-p22,
1.8.6-p230 and 1.8.5-p231 – but these all seem to cause Typo to crash
in one place or another (the crash with 1.8.7-p22 is documented as Issue
1243 [1]). I’m using Rails 2.0.2 and mysql gem 2.7.

I’d really like to use Typo, but am reluctant to do so if it can only be
run insecurely.

[1] http://typosphere.org/projects/typo/issues

I’d like to know as well. I’m running 1.8.6p114. I haven’t heard of
any newer versions being stable.

On Mon, Aug 4, 2008 at 6:25 PM, Geoffrey Sisson

On Tue, Aug 5, 2008 at 2:25 AM, Geoffrey Sisson
[email protected] wrote:

I’d really like to use Typo, but am reluctant to do so if it can only be
run insecurely.

I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven’t any problem. All
works

On Tue, Aug 5, 2008 at 11:05 AM, Geoffrey Sisson
[email protected] wrote:

Cyril M. wrote:

I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven’t any problem. All
works

Cyril, are you using Rails 2.0.2?

Yes, it’s with rails freeze in Typo.

/usr/lib/libruby.so.1.8[0xb7f0dc4c]
[snip]

I’m running on Debian GNU/Linux 4.0r4 (etch), FWIW.

I use mongrel and I am a Gentoo.

Cyril M. wrote:

I use a ruby 1.8.6-p230 with Typo 5.1.2 and I haven’t any problem. All
works

Cyril, are you using Rails 2.0.2?

When I use Ruby 1.8.6-p230 and Rails 2.0.2 and then create a new
instance of Typo, the resulting dispatch.cgi crashes immediately upon
invocation:

$ ./dispatch.cgi
*** glibc detected *** ruby: free(): invalid pointer: 0x085510d0 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7d6f4f4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7d716f6]
/usr/lib/libruby.so.1.8[0xb7f0dc4c]
[snip]

I’m running on Debian GNU/Linux 4.0r4 (etch), FWIW.

Geoffrey Sisson wrote:

Does anyone have Typo running with a version of Ruby more recent than
1.8.6-p114?

Rails 2.0.2 does not work with Ruby 1.8.7.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484351 for details.
There’s a git repository with backported fixes from Rails 2.1 here:
http://git.debian.org/?p=users/terceiro-guest/rails.git;a=shortlog;h=refs/heads/2.0.2-ruby1.8.7-compat

I used that source to recreate some of the gems (I don’t really
understand Rails’ build system), and now have working 2.0.2 gems with
ruby 1.8.7.

Regards,
Matijs.

Le 5 août 08 à 15:07, Cyril M. a écrit :

Yes, it’s with rails freeze in Typo.

/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7d716f6]
/usr/lib/libruby.so.1.8[0xb7f0dc4c]
[snip]

I’m running on Debian GNU/Linux 4.0r4 (etch), FWIW.

I use mongrel and I am a Gentoo.

Hello,

first, sorry for not replying faster, I was in holliday and got
internet access only tonight. Trying to answer the pile of mails
that’s waiting for me.

I’m currently using Ruby Enterprise Edition (the name really sucks),
which is developped by the guys from mod_rails. It fixes the ruby
security vuln while not breaking everything, which is just what I
needed.

Cheers,
Frédéric


Frédéric de Villamil
[email protected] tel: +33 (0)6 62 19 1337
http://fredericdevillamil.com Typo : http://typosphere.org

de Villamil Frédéric wrote:

first, sorry for not replying faster, I was in holliday and got
internet access only tonight.

Thanks for the reply. No apology needed.

I’m currently using Ruby Enterprise Edition (the name really sucks),
which is developped by the guys from mod_rails. It fixes the ruby
security vuln while not breaking everything, which is just what I
needed.

ruby-enterprise-1.8.6-20080709 works fine, thanks!

A warning to anyone who may try Ruby Enterprise: don’t specify /usr
(or/usr/local) as the target installation directory. Otherwise
installer.rb will run “sed” on all files in /usr/bin (or /usr/local/bin)
and convert preexisting shell/Perl/Python/etc. scripts to Ruby scripts.
I’ve sent a bug report Phusion.