RedHat has issued an advisory on February 28: https://rhn.redhat.com/errata/RHSA-2013-0582.html Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated ruby-ruby_parser packages fix security vulnerability: It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser (CVE-2013-0162). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0162 https://rhn.redhat.com/errata/RHSA-2013-0582.html ======================== Updated packages in core/updates_testing: ======================== ruby-ruby_parser-2.0.6-1.1.mga2 ruby-ruby_parser-doc-2.0.6-1.1.mga2 from ruby-ruby_parser-2.0.6-1.1.mga2.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 6487
I don't think this is working Before ------ $ irb irb(main):001:0> require 'ruby_parse' LoadError: no such file to load -- ruby_parse from (irb):1:in `require' from (irb):1 from :0 irb(main):002:0> require 'ruby_parser' LoadError: no such file to load -- ruby_parser from (irb):2:in `require' from (irb):2 from :0 irb(main):003:0> quit $ rpm -q ruby-ruby_parser ruby-ruby_parser-2.0.6-1.mga1 After ----- $ irb irb(main):001:0> require 'ruby_parser' LoadError: no such file to load -- ruby_parser from (irb):1:in `require' from (irb):1 from :0 irb(main):002:0> quit $ rpm -q ruby-ruby_parser ruby-ruby_parser-2.0.6-1.1.mga2 Congratulations to misc for finding the vulnerability.
A couple of links to help with testing. http://blog.rubybestpractices.com/posts/judofyr/sexp-for-rubyists.html Also one for ruby-ruby2ruby which requires it http://docs.seattlerb.org/ruby2ruby/
Whiteboard: (none) => feedback
CC: (none) => shikamaru
CC: (none) => fundawang
You need racc as well according to the docs. I still couldn't get it to work using the first link above. This page is much better: http://ujihisa.blogspot.co.uk/2009/07/parsers-around-ruby.html I seem to be able to get it to work before updating, so is it just a matter of checking it still works after updating? If so, I'll try to do it tomorrow. Carolyn
CC: (none) => isolde
rubygems will download the gem and use that rather than the packaged version Carolyn. Tried x86_64 $ gem list *** LOCAL GEMS *** atk (1.0.3) cairo (1.10.2) gdk_pixbuf2 (1.0.3) glib2 (1.0.3) gtk2 (1.0.3) msgpack (0.4.6) pango (1.0.3) pkg-config (1.1.0) ruby_parser (2.0.6) sexp_processor (3.0.5) $ irb irb(main):001:0> require 'ruby_parser' LoadError: no such file to load -- ruby_parser from (irb):1:in `require' from (irb):1 from :0
$ strace -o strace.out irb irb(main):001:0> require 'ruby_parser' LoadError: no such file to load -- ruby_parser from (irb):1:in `require' from (irb):1 from :0 irb(main):002:0> quit $ grep parse strace.out stat("/usr/lib/ruby/site_ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/1.8/x86_64-linux-gnu/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/site_ruby/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/vendor_ruby/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ruby/1.8/x86_64-linux-gnu/ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("./ruby_parser.rb", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) stat("./ruby_parser.so", 0x7fff82749ee0) = -1 ENOENT (No such file or directory) $ urpmf ruby-ruby_parser: ruby-ruby_parser:/usr/bin/ruby_parse ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6 ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/bin ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/bin/ruby_parse ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/gauntlet_rubyparser.rb ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_lexer.rb ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.rb ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.y ruby-ruby_parser:/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser_extras.rb ruby-ruby_parser:/usr/lib/ruby/gems/1.8/specifications/ruby_parser-2.0.6.gemspec
How about this? [carolyn@localhost ~]$ irb irb(main):001:0> require '/usr/lib/ruby/site_ruby/1.8/rubygems.rb' => true irb(main):002:0> require '/usr/lib/ruby/gems/1.8/gems/ruby_parser-2.0.6/lib/ruby_parser.rb' => true irb(main):003:0> require 'pp' => true irb(main):004:0> pp RubyParser.new.parse(<<-EOF) irb(main):005:1" def plus_five(n) irb(main):006:1" n + 5 irb(main):007:1" end irb(main):008:1" EOF s(:defn, :plus_five, s(:args, :n), s(:scope, s(:block, s(:call, s(:lvar, :n), :+, s(:arglist, s(:lit, 5)))))) => nil Carolyn
Not sure if this is a problem with irb or with ruby-parser? irb searches for the required gem in the wrong place, or the gem is being installed to the wrong place. Funda/David any advice please.
Some success. IINM if the gem is installed then require "rubygems" is enough, without a require for the specific module.
hrm no, I am mistaken
David I'm assigning this back to you, simply because I don't know who else to assign it to, sorry.
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalser
I know nothing. Assigning to Funda.
Assignee: luigiwalser => fundawang
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: NEW => RESOLVEDResolution: (none) => OLD