Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 31 Jul 2006 23:53:25 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Dan Langille <dan@langille.org>
Cc:        vuxml@freebsd.org
Subject:   Re: correct versions for lang/ruby18?
Message-ID:  <20060731215324.GD1154@zaphod.nitro.dk>
In-Reply-To: <44CD4616.6955.1CD8B337@dan.langille.org>
References:  <44CD4616.6955.1CD8B337@dan.langille.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2006.07.30 23:51:50 -0400, Dan Langille wrote:
> Are the versions for ruby18 specified correctly here?
> 
> http://www.vuxml.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html
> 
> 1.6.*	<	ruby	<	1.8.*	
> 1.8.*	<	ruby	<	1.8.4_9,1	
> 1.6.*	<	ruby_static	<	1.8.*	
> 1.8.*	<	ruby_static	<	1.8.4_9,1
> 
> Is that expected?  Doesn't 1.8.* mean 1.8.4_9,1 is also affected?
> 
> Perhaps 1.8.* should be 1.8

That seems correct to me (it should better, I suggsted it ;-) ).  "*"
means basically the smallest possible version and "less than" is used,
not "less than equal", so the above entries for 1.6 means any version
larger than the smallest 1.6 and less than any 1.8 version.

Of cause the above really could be minimized to "ruby < 1.8.4_9,1" and
drop the 1.6 entry.  The reason that wasn't done was to make it
simpler to add fixed version info for 1.6 if that comes...

There is also the sidenote that since ruby 1.8.* above does not
include epoch 1 (,1 in version) and ruby 1.8 is now at port epoch 1 it
could never match, since "lowest_version,1 > higest_version".

The reason for using .* is to catch any beta version etc. (frankly I'm
not really sure right now if it's really an issue for ruby here but
I'm a bit to tired to really double check).  You can see the problem
here:

[simon@zaphod:~] pkg_version -t 1.8.0.p1 '1.8.*'
>
[simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8
<
[simon@zaphod:~] pkg_version -t 1.8.0.p1 1.8.0
<

Both portaudit and vxquery seems to agree that the entry is correct:

[simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_9,1'
[simon@eddie:vuxml] portaudit -q 'ruby-1.8.4_8,1'
ruby-1.8.4_8,1
[simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_9,1'
[simon@eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_8,1'
Topic: ruby - multiple vulnerabilities
Affects:
    1.6.* < ruby < 1.8.*
    1.8.* < ruby < 1.8.4_9,1
    1.6.* < ruby_static < 1.8.*
    1.8.* < ruby_static < 1.8.4_9,1
References:
    bid:18944
    cvename:CVE-2006-3694
    url:http://secunia.com/advisories/21009/
    url:http://jvn.jp/jp/JVN%2383768862/index.html
    url:http://jvn.jp/jp/JVN%2313947696/index.html
<URL:http://vuxml.freebsd.org/76562594-1f19-11db-b7d4-0008743bf21a.html>;

-- 
Simon L. Nielsen



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060731215324.GD1154>