Bug 152768 - CAN-2004-0755, CAN-2004-0983: ruby CGI vulnerabilities
CAN-2004-0755, CAN-2004-0983: ruby CGI vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: ruby (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-23 14:05 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-12 20:55:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:26:46 EST
The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly
PStore, creates files with insecure permissions, which can allow local users to
steal session information and hijack sessions.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130065
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130063



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-08-31 12:22:30 ----

There's a patch in there... somewhere. It seems RH has rpms which fix the issue,
but haven't managed to find them anywhere, yet. We most likely would want the
patch from the 2.1AS rpms.



------- Additional Comments From dom@earth.li 2004-09-30 04:59:31 ----

RHEL updates: http://rhn.redhat.com/errata/RHSA-2004-441.html



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-08 19:07:24 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA for 73, 9 and fc1.

Can someone test these? I have no idea how...

Changelog:
* Fri Oct 08 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> - 1.6.8-6.legacy
- - Added security patch for CAN-2004-0755

9574a19d2c71eabbc803e0f85f233ca50742628c  7.3/ruby-1.6.7-3.legacy.i386.rpm
3a57129ccf1a05c765da7e1b1c17f45154916f07  7.3/ruby-1.6.7-3.legacy.src.rpm
0e20c33f93bbd2d972f2ee5223ace915afffd56b  7.3/ruby-devel-1.6.7-3.legacy.i386.rpm
880397b2d5811740d13f1fbd29fe2be0460253c3  7.3/ruby-docs-1.6.7-3.legacy.i386.rpm
f936fb781f44b4d33ee6ba95e282f2a195d83ad4  7.3/ruby-libs-1.6.7-3.legacy.i386.rpm
6f31b6e242a381e8e1f6f3cedc81fc2475a34ba1  7.3/ruby-mode-1.6.7-3.legacy.i386.rpm
cf28acb2e616cf684f9576a937456bf8cbe01f35 
7.3/ruby-mode-xemacs-1.6.7-3.legacy.i386.rpm
a451ede03c0bcfd38c303ae95dd6fc3f86de79ac  7.3/ruby-tcltk-1.6.7-3.legacy.i386.rpm
53794fd8418983a399bc04a3d0d1f4c33661ad91  7.3/irb-1.6.7-3.legacy.i386.rpm
801d9823b8033d91769d234d2af4b9801ac8dd48  9/ruby-1.6.8-6.legacy.i386.rpm
4920a23d4ea8028262ad28d9d000eb4c69c924d6  9/ruby-1.6.8-6.legacy.src.rpm
0e4992871d66819dcccbe6bf7c0094c0ca9acc42  9/ruby-devel-1.6.8-6.legacy.i386.rpm
2783c63aecd5cb9ee03e50bb46cb176ba53b1796  9/ruby-docs-1.6.8-6.legacy.i386.rpm
f8f3de5f25223e8703cc2decdb6f24d7f16a2d54  9/ruby-libs-1.6.8-6.legacy.i386.rpm
0da88f7615e1dd1530560f0df920e883467f6c5e  9/ruby-mode-1.6.8-6.legacy.i386.rpm
cbc70125edce1b608fe3c7352f5b5d14286bd0a2  9/ruby-tcltk-1.6.8-6.legacy.i386.rpm
1db8283fef9da3837d7be2d30ea652cb3b1c118f  9/irb-1.6.8-6.legacy.i386.rpm
14280217972dd9952f1daf89a3419b4c1696e9c5  1/ruby-1.8.0-2.legacy.i386.rpm
41a6c751ea7211928bbd66b65607ba5ea653fa1b  1/ruby-1.8.0-2.legacy.src.rpm
0c7eb2577988ad4da4211a43e216910ca966c39d  1/ruby-devel-1.8.0-2.legacy.i386.rpm
35748b4ca229f46a4b1b74d9e1b28d92f414b646  1/ruby-docs-1.8.0-2.legacy.i386.rpm
fa0e0daea139cef5216379e5edbae472ece4fffe  1/ruby-libs-1.8.0-2.legacy.i386.rpm
7edc9bc840fbd6de32124102f17a1120244fbadb  1/ruby-mode-1.8.0-2.legacy.i386.rpm
ee857a8272f2466c74a97ce8dab8d113201444e4  1/ruby-tcltk-1.8.0-2.legacy.i386.rpm
37802344579000cb957b48f784c361b9069a4af1  1/irb-1.8.0-2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/
http://www.infostrategique.com/linuxrpms/legacy/9/
http://www.infostrategique.com/linuxrpms/legacy/1/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ3IlLMAs/0C4zNoRAgCoAJ43TpbICmvrJeJYzaUg5FnhES6mAQCfcjCm
v1mOXgwSdrZx8nT+aBnN3W0=
=MDpH
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse@gtri.gatech.edu 2004-11-08 05:17:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

41a6c751ea7211928bbd66b65607ba5ea653fa1b  ruby-1.8.0-2.legacy.src.rpm

- - source identical to previous release
- - patch looks good
- - builds cleanly
- - installs clean
- - spec file looks good
- - runs fine

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBj44JwnUFCSDmt7ERAuPoAKCW+XKNBG/Nf12cOIyMx8HalWaaHACfaLEc
NdTOvfgOg+OTPW1bgrGK/Qk=
=fxqi
-----END PGP SIGNATURE-----




------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-08 18:08:21 ----

A new vulnerability has been discovered in Ruby, which can be exploited by
malicious people to cause a DoS from remote. (CAN-2004-0983)

http://secunia.com/advisories/13123/



------- Additional Comments From deisenst@gtw.net 2004-11-09 18:41:27 ----

Created an attachment (id=917)
Fixes CAN-2004-0983, CGI DoS

Attachment taken from RedHat Bugzilla, bug # 138366
   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138366



------- Additional Comments From deisenst@gtw.net 2004-11-09 18:50:51 ----

With the above patch, can someone see if they apply well to the various sources,
and re-submit .src.rpm packages?   -David



------- Additional Comments From deisenst@gtw.net 2004-11-19 03:16:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package for QA for Fedora Core 1:

 SHA1SUM                                   NAME
 ========================================  ===========================
 dedbc81c755c67ee02a43e0f8f25473dd8fe3917  ruby-1.8.0-3.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/ruby-1.8.0-3.legacy.src.rpm

 ===============
Changelog:
* Wed Nov 17 2004 David Eisenstein <deisenst@gtw.net> 1.8.0-3.legacy
- - Added security patch for CAN-2004-0983
                                                                                
* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.8.0-2.legacy
- - Added security patch for CAN-2004-0755
- - Disabled make test (for some reason, doesn't always work)

Ruby interpreter on my machine seem to work for the sample .rb script files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBnfEpxou1V/j9XZwRAnzhAKDPcOhWNmWuwcz/qFGB7NfYw94pUACg3ri/
Mbr6ZqiHXHCbfWz/dvk59u4=
=9vDf
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-19 10:33:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on david's fc1 package:
dedbc81c755c67ee02a43e0f8f25473dd8fe3917  ruby-1.8.0-3.legacy.src.rpm
  
sha1sum ok
source files ok (compared to ruby-1.8.0-1)
spec file ok
patch for CAN-2004-0983 looks good (the same as ruby-1.8.1-6.FC2.0)
builds fine. (one innocuous file listed twice warning)
cra's rpm-build-compare script looks good
installs ok
runs ok (at least the minesweeper demo did)
  
but is the patch for CAN-2004-0755 complete?  i don't know ruby
so i'm not really sure.
 
gentoo is using this patch for CAN-2004-0755:
 
from:
http://darkstar.ist.utl.pt/gentoo/portage/dev-lang/ruby/files/ruby-1.8.0-CGI::Session.patch
 
diff -urN ruby-1.8.0.orig/lib/cgi/session/pstore.rb
ruby-1.8.0/lib/cgi/session/pstore.rb
- --- ruby-1.8.0.orig/lib/cgi/session/pstore.rb 2003-07-15 14:38:05.000000000
+0900
+++ ruby-1.8.0/lib/cgi/session/pstore.rb        2004-08-19 22:00:06.000000000
+0900
@@ -32,6 +32,9 @@
          @hash = {}
        end
        @p = ::PStore.new path
+       @p.transaction do |p|
+         File.chmod(0600, p.path)
+       end
       end
  
       def restore
diff -urN ruby-1.8.0.orig/lib/cgi/session.rb ruby-1.8.0/lib/cgi/session.rb
- --- ruby-1.8.0.orig/lib/cgi/session.rb        2003-07-24 01:44:55.000000000 +0900
+++ ruby-1.8.0/lib/cgi/session.rb       2004-08-19 21:57:23.000000000 +0900
@@ -124,7 +124,7 @@
        begin
          @f = open(path, "r+")
        rescue Errno::ENOENT
- -       @f = open(path, "w+")
+         @f = File.open(path, File::CREAT|File::RDWR, 0600)
        end
       end
  
 
 
the patch ruby-1.8.0-CAN-2004-0755.patch is included with ruby-1.8.0-3.legacy:
 
diff -Naur ruby-1.8.0.ori/lib/cgi/session.rb ruby-1.8.0/lib/cgi/session.rb
- --- ruby-1.8.0.ori/lib/cgi/session.rb   2003-07-23 12:44:55.000000000 -0400
+++ ruby-1.8.0/lib/cgi/session.rb       2004-10-08 20:41:33.000000000 -0400
@@ -124,7 +124,7 @@
        begin
          @f = open(path, "r+")
        rescue Errno::ENOENT
- -         @f = open(path, "w+")
+         @f = File.open(path, File::CREAT|File::RDWR, 0600)
        end
       end
   
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBnlfEtU2XAt1OWnsRAjX7AJ9Wx9+jJJj+upVynr3qZIHmFwaNIwCgw9wa
IxMzWSGRde+kebd76dppcYk=
=ktl/
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-11-20 16:33:30 ----

Good catch, Rob!  Thanks!  I'll be submitting a new source package forthwith.



------- Additional Comments From deisenst@gtw.net 2004-11-22 00:54:56 ----

Created an attachment (id=930)
CGI Session File Permissions patch [CAN-2004-0755]

This patch, for FC1's ruby-1.8.0, is based upon Red Hat's Fedora Core 2 patch
to ruby-1.8.1 (RH Bugzilla #130063) by Akira Tagoh.  It appears to do a lot
more than secure the session file.  It alters methods in the
CGI::Session::FileStore class to only open the session file when it either
needs to read from it or write to it, instead of the original behavior of
opening it and keeping it open unless explicitly closed with a "session.close".


See the next attachment for a test script to test the behavior of this new
patch.




------- Additional Comments From deisenst@gtw.net 2004-11-22 01:33:48 ----

Created an attachment (id=931)
File permissions test script for CAN-2004-0755

This attachment is a Ruby test script that should test the behavior of Ruby's
CGI::Session::FileStore class.	It is based on a test script that Josh Bressers
of Red Hat wrote (in RH Bugzilla #130065) to do the same thing, but a little
more fleshed out.

To use this script, I do this:
   $  export QUERY_STRING="HELLO=there&A=C&B=D&testing=yes"
   $  export REQUEST_METHOD="GET"
   $  ruby bressers-test-CAN-2004-0755.rb

While running this test script, I get a couple of warnings, but it does seem to
adequately demonstrate file permissions on the session file are being set
correctly.  Unless you uncomment the last line of this Ruby script, you will
need to delete the /tmp/blah_* session file(s) yourself when you're done
testing using this script.



------- Additional Comments From deisenst@gtw.net 2004-11-22 02:22:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package for QA for Fedora Core 1:

 SHA1SUM                                   NAME
 ========================================  ===========================
 39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/ruby-1.8.0-4.legacy.src.rpm

 ===============
Changelog:
* Sat Nov 20 2004 David Eisenstein <deisenst@gtw.net> 1.8.0-4.legacy
- - Redid security fix [CAN-2004-0755]
- - ruby-1.8.0-cgi_session_perms.patch: sets the permission of the session data
  file to 0600. Backport of FC2's patch to 1.8.1. (#2007)
- - Re-enabled make test.

* Wed Nov 17 2004 David Eisenstein <deisenst@gtw.net> 1.8.0-3.legacy
- - security fix [CAN-2004-0983]
- - ruby-1.8.0-cgi-dos.patch: applied to fix a denial of service issue. (#2007)

* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.8.0-2.legacy
- - Added security patch for CAN-2004-0755
- - Disabled make test (for some reason, doesn't always work)

Ruby interpreter on my machine works for the sample .rb script files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBodpLxou1V/j9XZwRAt9fAJwM7w9JTUAysGu6fSgD5cUyTBlh3wCgyz+u
hYvO0C7tbCI9Z23fGpB3c8U=
=LAjJ
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-24 06:24:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on david's fc1 package:
39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm
 
sha1sum ok
source files ok (compared to ruby-1.8.0-1)
spec file ok
patch for CAN-2004-0983 looks good (renamed from ruby-1.8.0-CAN-2004-0983.patch
to ruby-1.8.0-cgi-dos.patch)
patch for CAN-2004-0755 looks better, passes test script
builds ok (may have to disable make test to build in mach, and one innocuous
file listed twice warning)
cra's rpm-build-compare script looks good
installs ok
runs ok
 
+PUBLISH
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBpLURtU2XAt1OWnsRAuL5AJ9ZZz9fNgq4lrioFJxdYY+keWAYxQCffzas
Wn7DU+VfnYJyk4z2cKM92eE=
=4jLi
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse@gtri.gatech.edu 2004-12-07 06:15:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm

- - source files identical to previous rls
- - patch files look good
- - spec file looks good, except for file listed twice
- - builds cleanly
- - installs cleanly
- - runs ok

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBtdcYwnUFCSDmt7ERAqBSAKClknzXad2VgOyw0CKL27uHjSIhlQCfcjjy
TfLl0eVW3Vu/WKKgUrwXygY=
=S7Vf
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2005-01-11 13:01:33 ----

This bug is over 4 1/2 months old.  I've been wondering if anybody is going
to submit new Ruby packages for RH7.3 and RH9 to handle the new CAN-2004-0983
CGI DoS vulnerability as well as to ensure the CGI Session File Permissions
patch, CAN-2004-0755, is complete?

If no one does so, I will try to do so; however, I don't have RH7.3 or RH9
on my machine, so the best I can do is create the packages and let others
test them by compiling and installing in their RH7.3 or RH9 installations for
PUBLISH.

Thoughts?  Comments?   -David



------- Additional Comments From pekkas@netcore.fi 2005-01-11 22:00:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here's SRPM for RHL9:
 - I took the patches straight from RHEL3
 - builds, installs, and passes the .rb file test.
 
http://www.netcore.fi/pekkas/linux/ruby-1.6.8-6.1.legacy.src.rpm
 
3e3f51f9c006bb2865cd7246c4bb1e76e5d3f973  ruby-1.6.8-6.1.legacy.src.rpm
 
* Wed Jan 12 2005 Pekka Savola <pekkas@netcore.fi> 1.6.8-6.1.legacy
- - fix CAN-2004-0755, CAN-2004-0983 (#2007)
 
...
 
I also already backported the other path (cgidos works as is) for RHL73, but
because I don't have RHL73 system w/ emacs & xemacs, I cannot create a SRPM.
The compilation works though.
 
I added a "return unless @hash" in the patch because that seemed
appropriate, existing in ruby-1.6.8.
 
cf42235a6c5d4ec547293501be74245ae3064a19  ruby-1.6.7-cgi_session_perms.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB5NjqGHbTkzxSL7QRAiWjAJwLGpH+BQEx9cQovQrov1NjJz3Y6gCeMYQJ
GLeV9akI2dQ0EKCMcm6w2lA=
=l0DM
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-11 22:01:42 ----

Oh yes, the patch is available (if someone wants to take it) from the similar
URL as the SRPM.



------- Additional Comments From deisenst@gtw.net 2005-01-20 11:20:20 ----

Re:  ruby-1.6.7 for RHL 7.3:

Marc Deslauriers' ruby-1.6.7-cgi_session_perms.patch for ruby (in comment #3
ruby-1.6.7-3.legacy.src.rpm) looks complete as it is.  The "return
unless @hash" is in the update method of session.rb, like it is in Pekka's
patch in comment 17.  (It is essentially the patch in attachment 930
with the the first hunk yanked out (since ruby-1.6.7 has no pstore.rb),
and the line numbers rejiggered.)

Comment #20 will be a new package with the new ruby-1.6.7-cgi-dos.patch.

RH 7.3 users, Please compile and test the following package!  (If you want,
you can use the test script mentioned in comment 12.)

Thanks!!	-David




------- Additional Comments From deisenst@gtw.net 2005-01-20 11:28:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated package for QA for Red Hat Linux 7.3, includes the security patch
for CAN-2004-0983, CGI DoS:

 SHA1SUM                                   NAME
 ========================================  ===========================
 dd7f94038fa094b7ff81fcb72d2086159bb15ad1  ruby-1.6.7-4.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/RH7.3/SRPMS/ruby-1.6.7-4.legacy.src.rpm

As I don't run RHL 7.3, please test!  Thanks!

 ===============
 Changelog:
 
* Mon Jan 17 2005 David Eisenstein <deisenst@gtw.net> 1.6.7-4.legacy
- - Added security patch for CAN-2004-0983, CGI Denial of Service
  (Fedora Legacy Bugzilla # 2007)

* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 
  1.6.7-3.legacy
- - Added security patch for CAN-2004-0755

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB8CJ3xou1V/j9XZwRArjkAJ9AubaC1Oxr+YHuuOlmRcztHBxMCwCgjMJZ
XSrwMdh/hPuciG4gMulVo6c=
=NCNE
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-20 21:55:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
As said, I can't recompile this, but I did the other QA:
 - source integrity OK
 - patches are OK
 - spec file changes OK
 
+PUBLISH
 
dd7f94038fa094b7ff81fcb72d2086159bb15ad1  ruby-1.6.7-4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB8LVoGHbTkzxSL7QRArPSAKCukVY6f4GJiyu0Hc7WeQab7WNKHACeM1DN
PPpECFJJE28QDWSJmj1jum0=
=lQHv
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7@ccmr.cornell.edu 2005-01-23 13:37:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rebuilt the ruby srpm on rh7.3. Built and installed ok.

sha1sum:
dd7f94038fa094b7ff81fcb72d2086159bb15ad1 *ruby-1.6.7-4.legacy.src.rpm

+PUBLISH

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB9DT7SY7s7uPf/IURAggPAKDUqtl9FVsWvb5FZVDEYGtVoTOv8ACgtKfq
ZTNQqVG3DjOKJ1ntm1xCVE0=
=qvQg
-----END PGP SIGNATURE-----



------- Additional Comments From deisenst@gtw.net 2005-02-06 07:05:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA for RH9 version of ruby by Pekka Savola in comment 17:

3e3f51f9c006bb2865cd7246c4bb1e76e5d3f973  ruby-1.6.8-6.1.legacy.src.rpm

  - sha1sum OK
  - spec file changes okay
  - patch files look fine
  - patches applied okay
  - built okay (on FC1 system; I don't have mach [yet])
  - did not install packages, since this is RH9.

As I don't have a RH9 environment nor mach, I could not test building
packages on that environment nor installing or running.  That all said,
I vote:

   PUBLISH+  RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCBk3Sxou1V/j9XZwRAi3+AJ9MusHER6Zxls9+PaOGsJzIXgEMrACeJMDK
YbIPk5wzv2rGrvWIgnKqwZk=
=45Jt
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-13 08:48:47 ----

Argh...although rh73 and rh9 built fine, I can't build fc1 in mach. There is a
bunch of files missing from ruby-libs after building.



------- Additional Comments From pekkas@netcore.fi 2005-02-14 23:18:48 ----

Hmm.  Do you have a build log?  What kind of files are those, could they be
caused by missing buildreqs?



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-15 15:51:32 ----

Found the problem:
missing BuildRequires:  groff bison tcl-devel tk-devel




------- Additional Comments From deisenst@gtw.net 2005-02-18 14:06:34 ----

Pushed to updates-testing today.



------- Additional Comments From pekkas@netcore.fi 2005-02-18 21:51:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Basic QA for RHL9 and RHL73:
 - PGP signature OK
 - install went fine
 - ran the bressers ruby exploit test and it worked OK

+VERIFY RHL9,RHL73

3ff73cc2715e1e05b89c793a990d632a6e2d5ebc  ruby-1.6.8-6.2.legacy.i386.rpm
f8c4d14d8bbc90e974824eb355f7031d6d988fbb  ruby-docs-1.6.8-6.2.legacy.i386.rpm
9221938904eb3752f6f662793590d0fd485717a3  ruby-1.6.7-5.legacy.i386.rpm
f57720143f0c3cc0414f35bac468d2a43a4f4ba5  ruby-libs-1.6.7-5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFu+xGHbTkzxSL7QRAgdnAJ0Rfx0t5XPMAtK1EGUasa/5tZmBMQCfQAyy
OLTNMFiuhq7fg6WO15PRTBQ=
=Wits
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:26 -------

This bug previously known as bug 2007 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2007
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Fixes CAN-2004-0983, CGI DoS
https://bugzilla.fedora.us/attachment.cgi?action=view&id=917
CGI Session File Permissions patch [CAN-2004-0755]
https://bugzilla.fedora.us/attachment.cgi?action=view&id=930
File permissions test script for CAN-2004-0755
https://bugzilla.fedora.us/attachment.cgi?action=view&id=931

Unknown priority P3. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 mschout 2005-05-09 19:37:35 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1: ok
f316e376df3ec8ef4d36492f1059fc830116579a  ruby-1.8.0-5.legacy.i386.rpm
99152c9afef3260c395d98918f6dce80cdde6b33  ruby-devel-1.8.0-5.legacy.i386.rpm
db7227360fff6dd7bfa038732267296867bfc100  ruby-docs-1.8.0-5.legacy.i386.rpm
a1cdd38cd7899553856b474ab8a83430be7c0416  ruby-libs-1.8.0-5.legacy.i386.rpm
ee5fb8899a19891ad523a0eedaa2b91ce9e99bd4  ruby-mode-1.8.0-5.legacy.i386.rpm
b04a2aab214b5acdcc244efd13953dca51255d64  ruby-tcltk-1.8.0-5.legacy.i386.rpm

dsa sha1 md5 gpg signatures OK

installed all packages without any warnings or errors

ran the brassers test script successfully.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgDpL+CqvSzp9LOwRArMIAJ48KzNQdDruBrsLgKTDtJVqHvWWmACcCqeQ
y8GmG7DluXpzGZDxZxUTaYc=
=TNM+
-----END PGP SIGNATURE-----
Comment 2 Marc Deslauriers 2005-05-12 20:55:35 EDT
Released to updates

Note You need to log in before you can comment on or make changes to this bug.