Two security issues. Here's the changelog entry: libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low * Security Fix for JSON::Pure::Parser. A specially designed string could cause catastrophic backtracking in one of the parser's regular expressions. (fixed upstream in version 1.1.7) * Use the version of prototype.js from libjs-prototype. The included version had a security issue. (Closes: #555224, #555223) -- Ryan Niebur <ryan@debian.org> Sun, 08 Nov 2009 22:33:47 -0800 Attached is a debdiff. Okay to upload? -- _________________________ Ryan Niebur ryanryan52@gmail.com
diff -u libjson-ruby-1.1.2/debian/control libjson-ruby-1.1.2/debian/control --- libjson-ruby-1.1.2/debian/control +++ libjson-ruby-1.1.2/debian/control @@ -25,6 +25,7 @@ Package: libjson-ruby-doc Architecture: all Section: doc +Depends: libjs-prototype Description: JSON library for Ruby (documentation) This library implements the JSON (JavaScript Object Notation) specification in Ruby, allowing the developer to easily convert data between Ruby and JSON. You diff -u libjson-ruby-1.1.2/debian/changelog libjson-ruby-1.1.2/debian/changelog --- libjson-ruby-1.1.2/debian/changelog +++ libjson-ruby-1.1.2/debian/changelog @@ -1,3 +1,13 @@ +libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low + + * Security Fix for JSON::Pure::Parser. A specially designed string + could cause catastrophic backtracking in one of the parser's regular + expressions. (fixed upstream in version 1.1.7) + * Use the version of prototype.js from libjs-prototype. The included + version had a security issue. (Closes: #555224, #555223) + + -- Ryan Niebur <ryan@debian.org> Sun, 08 Nov 2009 22:33:47 -0800 + libjson-ruby (1.1.2-1) unstable; urgency=low [ Paul van Tilburg ] diff -u libjson-ruby-1.1.2/debian/rules libjson-ruby-1.1.2/debian/rules --- libjson-ruby-1.1.2/debian/rules +++ libjson-ruby-1.1.2/debian/rules @@ -7,6 +7,11 @@ BASEDIR = `pwd`/debian DEB_INSTALL_MANPAGES_edit-json = debian/edit_json.1 debian/prettify_json.1 +binary-install/libjson-ruby-doc:: + rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js + ln -s /usr/share/javascript/prototype/prototype.js $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js + dh_link -plibjson-ruby-doc + install/libjson-ruby1.8:: # remove files already installed in edit-json package rm -r $(BASEDIR)/libjson-ruby1.8/usr/bin only in patch2: unchanged: --- libjson-ruby-1.1.2.orig/lib/json/pure/parser.rb +++ libjson-ruby-1.1.2/lib/json/pure/parser.rb @@ -6,9 +6,11 @@ # into a Ruby data structure. class Parser < StringScanner STRING = /" ((?:[^\x0-\x1f"\\] | + # escaped special characters: \\["\\\/bfnrt] | \\u[0-9a-fA-F]{4} | - \\[\x20-\xff])*) + # match all but escaped special characters: + \\[\x20-\x21\x23-\x2e\x30-\x5b\x5d-\x61\x63-\x65\x67-\x6d\x6f-\x71\x73\x75-\xff])*) "/nx INTEGER = /(-?0|-?[1-9]\d*)/ FLOAT = /(-?
Attachment:
signature.asc
Description: Digital signature