Bug 12094

fixed with ruby-actionmailer-3.2.13-1.1.mga3 + ruby-activesupport-3.2.13-1.1.mga3

CC: (none) => oe

Updated to 4.0.2 in Cauldron by Pascal Terjan.  Not sure if that fixes this.

CC: (none) => pterjan

4.0.x is not affected by this.  Thanks Oden!

Advisory:
========================

Updated ruby-actionmailer and ruby-activesupport packages fix security
vulnerability:

Multiple format string vulnerabilities in log_subscriber.rb files in the log
subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow
remote attackers to cause a denial of service via a crafted e-mail address that
is improperly handled during construction of a log message (CVE-2013-4389).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html
========================

Updated packages in core/updates_testing:
========================
ruby-actionmailer-3.2.13-1.1.mga3
ruby-actionmailer-doc-3.2.13-1.1.mga3
ruby-activesupport-3.2.13-1.1.mga3
ruby-activesupport-doc-3.2.13-1.1.mga3

from SRPMS:
ruby-actionmailer-3.2.13-1.1.mga3.src.rpm
ruby-activesupport-3.2.13-1.1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)

I'm not familiar with ruby or rails but following the guide here:
http://guides.rubyonrails.org/action_mailer_basics.html

It fails to generate the mailer with a raft of errors. I can't find much info on the initial error so not sure where to go from here. It doesn't look like rails is working to me, but could be soemthing to do with the environment or operator error.


# urpmi ruby-actionmailer ruby-bundler ruby-net-http-persistent ruby-RubyGems ruby-railties


$ rails new testapp
$ cd testapp
$ rails generate mailer UserMailer
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)
..etc


This should apparently show a list of things it can generate..

$ rails generate
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)
...etc

Also the example given in /usr/share/ruby/gems/gems/actionmailer-3.2.13/lib/rails/generators/mailer/USAGE

$ rails generate mailer Notifications signup forgot_password invoice

Same error.

Tried on a system upgraded from mga2 and one with a pure mga3 install.

This error shows something being very broken in another package (railties, bundler or rubygems):

$ rails generate
/usr/share/ruby/gems/rubygems/custom_require.rb:36:in `require': cannot load such file -- rubygems/spec_fetcher (LoadError)

I may try to install a mageia3 chroot tonight to test if I have time.

Have you had time to test that like you wanted to Pascal?

CC: (none) => stormi

Tested using same steps as comment #4 and "rails new testapp" failed, so that's sooner than MrsB (maybe a missing dep?). That's an almost fresh install of Mageia 3 32bits.

[...]
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/..
Installing rake (10.1.1) 
Using i18n (0.6.1) 
Installing multi_json (1.8.4) 
Using activesupport (3.2.13) 
Using builder (3.0.4) 
Using activemodel (3.2.13) 
Using erubis (2.7.0) 
Using journey (1.0.4) 
Using rack (1.4.5) 
Using rack-cache (1.2) 
Using rack-test (0.6.2) 
Installing hike (1.2.3) 
Installing tilt (1.4.1) 
Using sprockets (2.2.2) 
Using actionpack (3.2.13) 
Installing mime-types (1.25.1) 
Using polyglot (0.3.3) 
Installing treetop (1.4.15) 
Installing mail (2.5.4) 
Using actionmailer (3.2.13) 
Installing arel (3.0.3) 
Installing tzinfo (0.3.38) 
Installing activerecord (3.2.13) 
Installing activeresource (3.2.13) 
Using bundler (1.2.1) 
Installing coffee-script-source (1.6.3) 
Installing execjs (2.0.2) 
Installing coffee-script (2.2.0) 
Installing rack-ssl (1.3.3) 
Installing json (1.8.1) with native extensions 

Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

        /usr/bin/ruby extconf.rb 
mkmf.rb can't find header files for ruby at /usr/share/include/ruby.h


Gem files will remain installed in /home/samuel/.gem/ruby/1.9.1/gems/json-1.8.1 for inspection.
Results logged to /home/samuel/.gem/ruby/1.9.1/gems/json-1.8.1/ext/json/ext/generator/gem_make.out
An error occurred while installing json (1.8.1), and Bundler cannot continue.
Make sure that `gem install json -v '1.8.1'` succeeds before bundling.

Follow-up: I had to install ruby-devel and make, gcc (missing deps to one of the ruby-xxx packages?), so that it could build the json 1.8.1 gem.

But: why would it build the json gem? It doesn't feel right, for a package from the repository. Maybe we should have release mga3 with ruby-json-1.8.1? Just asking because I know nothing about ruby packaging.

Then it tries to build the sqlite3 1.3.8 gem (and installing manually ruby-sqlite3 1.3.6 from the repos doesn't fit). So had to install: libsqlite3-devel.

Now I've got my "testapp" created.

Then "$ rails generate mailer UserMailer" fails the same way as in comment #4.

Yes it should not download or build anything, it seems no one had tested the package on mga3 and it was totally broken :(

(btw, on cauldron it is also broken in different way)

Adding feedback marker for now.

Whiteboard: (none) => feedback

I don't know rails much but I opened a but to myself to fix it in Cauldron, then I can work on fixing it for 3 but this probably cause more packages to be touched...

Taking over the bug as the packages is useless currently anyway so no point in having QA consider it.

Assignee: qa-bugs => pterjan

Ruby on Rails has been dropped in Cauldron and we are unable to support it.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX