Forum: Ruby Ruby 1.8.7-p173 released

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
9d2f78236e45a335301ba1195026105d?d=identicon&s=25 Urabe Shyouhei (Guest)
on 2009-06-10 02:23
(Received via mailing list)
Hello all.  This is a security fix for ruby 1.8.7.

A vulnerability was found in Ruby's BigDecimal stdlib.  That enables
attackers
to cause ruby process segfault.  This release is to fix that issue.  For
a
detailed info on the vulnerability please refer:

http://www.ruby-lang.org/en/news/2009/06/09/dos-vu...

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.zip

and checksums:

MD5(ruby-1.8.7-p173.tar.gz)= 74fbd67496ab7cc4de896d053f1507a5
SHA256(ruby-1.8.7-p173.tar.gz)=
89ad16522f0a2f91e83e418e63cd27ec0fa6e40b17118c29f48b24468490a662
SIZE(ruby-1.8.7-p173.tar.gz)= 4823322

MD5(ruby-1.8.7-p173.tar.bz2)= bf297efaa24ec6cdb74963c0f608f6f1
SHA256(ruby-1.8.7-p173.tar.bz2)=
7cec49bc4afb82188ca4bdb5a0400ec7ede6bf0937af9dd6acaca4e54b8aa760
SIZE(ruby-1.8.7-p173.tar.bz2)= 4144667

MD5(ruby-1.8.7-p173.zip)= ef2f79470286bf885aeadb10c32ff379
SHA256(ruby-1.8.7-p173.zip)=
92e55401af85363955bac9c08366a9e1b144d4e4f756cc3c552b4fd242bf540a
SIZE(ruby-1.8.7-p173.zip)= 5881664

Thank you.
0218fde3a78fadbadb566bdb40d7b0dd?d=identicon&s=25 Barry Hess (bjhess)
on 2009-06-10 21:38
FYI, there is a bug in BigDecimal#to_f with this release.

BigDecimal("10.03").to_f
=> 10.3

My colleague put together a temporary fix (the post is for Rails devs):

http://bit.ly/65vKm

Hope this helps some folks out.

--
Barry Hess
http://iridesco.com
http://bjhess.com
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2009-06-11 00:17
(Received via mailing list)
On Wed, Jun 10, 2009 at 2:38 PM, Barry Hess<barry@bjhess.com> wrote:
> FYI, there is a bug in BigDecimal#to_f with this release.
>
> BigDecimal("10.03").to_f
> => 10.3
>
> My colleague put together a temporary fix (the post is for Rails devs):
>
> http://bit.ly/65vKm

Why was this not caught in the original fix? I thought the ruby-core
folks were running RubySpecs now...

- Charlie
6076c22b65b36f5d75c30bdcfb2fda85?d=identicon&s=25 Ezra Zygmuntowicz (Guest)
on 2009-06-11 00:28
(Received via mailing list)
On Jun 10, 2009, at 3:17 PM, Charles Oliver Nutter wrote:

>
> Why was this not caught in the original fix? I thought the ruby-core
> folks were running RubySpecs now...
>
> - Charlie


  This was caught by the rubyspecs and is not broken in the release of
ruby-1.8.6_p369.

Cheers-
Ezra Zygmuntowicz
ez@engineyard.com
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2009-06-11 02:44
(Received via mailing list)
On Wed, Jun 10, 2009 at 5:27 PM, Ezra Zygmuntowicz<ezmobius@gmail.com>
wrote:
>        This was caught by the rubyspecs and is not broken in the release of
> ruby-1.8.6_p369.

Yes, I know that much from talking to Kirk... but I'm confused why
there would be a breakage in any of the other versions if everyone's
running RubySpecs.

- Charlie
0ec4920185b657a03edf01fff96b4e9b?d=identicon&s=25 Yukihiro Matsumoto (Guest)
on 2009-06-11 08:12
(Received via mailing list)
Hi,

In message "Re: Ruby 1.8.7-p173 released"
    on Thu, 11 Jun 2009 07:17:02 +0900, Charles Oliver Nutter
<headius@headius.com> writes:

|Why was this not caught in the original fix? I thought the ruby-core
|folks were running RubySpecs now...

It was me introduced a bug.  I neglect to run the test this time.
Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn't
trust.  I hope we could learn something from this experience.

I have just committed all the fixes (from 1.9) to 1.8 HEAD.

              matz.
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2009-06-12 01:17
(Received via mailing list)
On Thu, Jun 11, 2009 at 1:11 AM, Yukihiro Matsumoto<matz@ruby-lang.org>
wrote:
> It was me introduced a bug.  I neglect to run the test this time.
> Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn't
> trust.  I hope we could learn something from this experience.
>
> I have just committed all the fixes (from 1.9) to 1.8 HEAD.

I know how that is, and I sympathize. Good thing Ruby has a great
community to catch us when we stumble :)

Let me know if there's any way I can help ruby-core devs include
rubyspecs in day-to-day development. They only take about a minute to
run.

- Charlie
9d2f78236e45a335301ba1195026105d?d=identicon&s=25 Urabe Shyouhei (Guest)
on 2009-06-12 10:07
(Received via mailing list)
Yukihiro Matsumoto wrote:
> I have just committed all the fixes (from 1.9) to 1.8 HEAD.

And I've backported that to 1.8.7.

Can I release that right now?  Or should I wait for next week?  It's
Friday
after 17:00 in Japan.  I'm personally OK to release, though.
9d2f78236e45a335301ba1195026105d?d=identicon&s=25 Urabe Shyouhei (Guest)
on 2009-06-16 02:25
(Received via mailing list)
> Yukihiro Matsumoto wrote:
>> I have just committed all the fixes (from 1.9) to 1.8 HEAD.
>
> And I've backported that to 1.8.7.

Sorry for the breakage.  I've put the release tarball on our ftp site
(URL below).

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.zip

Checksums:

MD5(ruby-1.8.7-p174.tar.gz)= 18dcdfef761a745ac7da45b61776afa5
SHA256(ruby-1.8.7-p174.tar.gz)=
da65d7d7c09ffc018fe5788338dc91ced08e0fb009a90c4bdeececfbd8c0fcc1
SIZE(ruby-1.8.7-p174.tar.gz)= 4823453

MD5(ruby-1.8.7-p174.tar.bz2)= 88c45aaf627b4404e5e4273cb03ba2ee
SHA256(ruby-1.8.7-p174.tar.bz2)=
203978b6db1cc77a79ff03d141d162f6f17d86c3574f76de9eae9d0c8cb920bc
SIZE(ruby-1.8.7-p174.tar.bz2)= 4144807

MD5(ruby-1.8.7-p174.zip)= 238b4744fc96d8cdba639ac2070333c4
SHA256(ruby-1.8.7-p174.zip)=
0b21024be3d77f13df938cbde5664d5aef3cf4cc168e331130e74980a4f9087d
SIZE(ruby-1.8.7-p174.zip)= 5881715

Thank you.
This topic is locked and can not be replied to.