Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jRuby 9.0.0.0+ affected by CVE-2014-4043 #3379

Closed
raelik opened this issue Oct 8, 2015 · 3 comments
Closed

jRuby 9.0.0.0+ affected by CVE-2014-4043 #3379

raelik opened this issue Oct 8, 2015 · 3 comments

Comments

@raelik
Copy link

raelik commented Oct 8, 2015

This vulnerability (detailed here) causes problems with Kernel#spawn when the options hash is used to redirect the default file descriptors for the child process. This does not occur in MRI, presumably because it is actually FFI that is causing the issue (which MRI doesn't need to make system calls). I don't believe any action can be taken by the jRuby team to resolve this, as the issue is caused by a vulnerability in glibc versions prior to 2.20. Any users suffering from this problem should update glibc to 2.20+.

@headius
Copy link
Member

headius commented Oct 8, 2015

Someone reported this as a bug in Kernel#spawn the other day, and we figured out that it was a glibc bug. Was that you?

This is good to note but I'm not sure how we pass this along. Perhaps in the 9.0.2.0 release notes we mention it and recommend glibc updates?

@headius headius added this to the JRuby 9.0.2.0 milestone Oct 8, 2015
@raelik
Copy link
Author

raelik commented Oct 8, 2015

@headius Yes, that was me 👍 Agreed, it hardly seemed like the proper place to report this, as it isn't really an issue to be fixed in jRuby.

@headius
Copy link
Member

headius commented Oct 8, 2015

Yeah, release notes don't seem quite right either since this affects any JRuby 9k release -- past, present, and future -- on a system without glibc. Perhaps best we can do is tweet + email and these bugs.

@enebo enebo modified the milestones: Non-Release, JRuby 9.0.2.0 Oct 14, 2015
@enebo enebo closed this as completed Oct 14, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants