correct versions for lang/ruby18?

Simon L. Nielsen simon at FreeBSD.org
Mon Jul 31 21:53:26 UTC 2006 

On 2006.07.30 23:51:50 -0400, Dan Langille wrote:
> Are the versions for ruby18 specified correctly here?
> 
> http://www.vuxml.org/freebsd/76562594-1f19-11db-b7d4-0008743bf21a.html
> 
> 1.6.*	<	ruby	<	1.8.*	
> 1.8.*	<	ruby	<	1.8.4_9,1	
> 1.6.*	<	ruby_static	<	1.8.*	
> 1.8.*	<	ruby_static	<	1.8.4_9,1
> 
> Is that expected?  Doesn't 1.8.* mean 1.8.4_9,1 is also affected?
> 
> Perhaps 1.8.* should be 1.8

That seems correct to me (it should better, I suggsted it ;-) ).  "*"
means basically the smallest possible version and "less than" is used,
not "less than equal", so the above entries for 1.6 means any version
larger than the smallest 1.6 and less than any 1.8 version.

Of cause the above really could be minimized to "ruby < 1.8.4_9,1" and
drop the 1.6 entry.  The reason that wasn't done was to make it
simpler to add fixed version info for 1.6 if that comes...

There is also the sidenote that since ruby 1.8.* above does not
include epoch 1 (,1 in version) and ruby 1.8 is now at port epoch 1 it
could never match, since "lowest_version,1 > higest_version".

The reason for using .* is to catch any beta version etc. (frankly I'm
not really sure right now if it's really an issue for ruby here but
I'm a bit to tired to really double check).  You can see the problem
here:

[simon at zaphod:~] pkg_version -t 1.8.0.p1 '1.8.*'
>
[simon at zaphod:~] pkg_version -t 1.8.0.p1 1.8
<
[simon at zaphod:~] pkg_version -t 1.8.0.p1 1.8.0
<

Both portaudit and vxquery seems to agree that the entry is correct:

[simon at eddie:vuxml] portaudit -q 'ruby-1.8.4_9,1'
[simon at eddie:vuxml] portaudit -q 'ruby-1.8.4_8,1'
ruby-1.8.4_8,1
[simon at eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_9,1'
[simon at eddie:vuxml] vxquery vuln.xml 'ruby-1.8.4_8,1'
Topic: ruby - multiple vulnerabilities
Affects:
    1.6.* < ruby < 1.8.*
    1.8.* < ruby < 1.8.4_9,1
    1.6.* < ruby_static < 1.8.*
    1.8.* < ruby_static < 1.8.4_9,1
References:
    bid:18944
    cvename:CVE-2006-3694
    url:http://secunia.com/advisories/21009/
    url:http://jvn.jp/jp/JVN%2383768862/index.html
    url:http://jvn.jp/jp/JVN%2313947696/index.html
<URL:http://vuxml.freebsd.org/76562594-1f19-11db-b7d4-0008743bf21a.html>

-- 
Simon L. Nielsen

More information about the freebsd-vuxml mailing list