[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

permission for s-p-u upload for libjson-ruby security issues

Two security issues. Here's the changelog entry:

libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low

  * Security Fix for JSON::Pure::Parser. A specially designed string
    could cause catastrophic backtracking in one of the parser's regular
    expressions. (fixed upstream in version 1.1.7)
  * Use the version of prototype.js from libjs-prototype. The included
    version had a security issue. (Closes: #555224, #555223)

 -- Ryan Niebur <ryan@debian.org>  Sun, 08 Nov 2009 22:33:47 -0800

Attached is a debdiff.

Okay to upload?

-- 
_________________________
Ryan Niebur
ryanryan52@gmail.com

diff -u libjson-ruby-1.1.2/debian/control libjson-ruby-1.1.2/debian/control
--- libjson-ruby-1.1.2/debian/control
+++ libjson-ruby-1.1.2/debian/control
@@ -25,6 +25,7 @@
 Package: libjson-ruby-doc
 Architecture: all
 Section: doc
+Depends: libjs-prototype
 Description: JSON library for Ruby (documentation)
  This library implements the JSON (JavaScript Object Notation) specification in
  Ruby, allowing the developer to easily convert data between Ruby and JSON. You
diff -u libjson-ruby-1.1.2/debian/changelog libjson-ruby-1.1.2/debian/changelog
--- libjson-ruby-1.1.2/debian/changelog
+++ libjson-ruby-1.1.2/debian/changelog
@@ -1,3 +1,13 @@
+libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low
+
+  * Security Fix for JSON::Pure::Parser. A specially designed string
+    could cause catastrophic backtracking in one of the parser's regular
+    expressions. (fixed upstream in version 1.1.7)
+  * Use the version of prototype.js from libjs-prototype. The included
+    version had a security issue. (Closes: #555224, #555223)
+
+ -- Ryan Niebur <ryan@debian.org>  Sun, 08 Nov 2009 22:33:47 -0800
+
 libjson-ruby (1.1.2-1) unstable; urgency=low
 
   [ Paul van Tilburg ]
diff -u libjson-ruby-1.1.2/debian/rules libjson-ruby-1.1.2/debian/rules
--- libjson-ruby-1.1.2/debian/rules
+++ libjson-ruby-1.1.2/debian/rules
@@ -7,6 +7,11 @@
 BASEDIR = `pwd`/debian
 DEB_INSTALL_MANPAGES_edit-json = debian/edit_json.1 debian/prettify_json.1
 
+binary-install/libjson-ruby-doc::
+	rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js
+	ln -s /usr/share/javascript/prototype/prototype.js $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js
+	dh_link -plibjson-ruby-doc
+
 install/libjson-ruby1.8::
 	# remove files already installed in edit-json package
 	rm -r $(BASEDIR)/libjson-ruby1.8/usr/bin
only in patch2:
unchanged:
--- libjson-ruby-1.1.2.orig/lib/json/pure/parser.rb
+++ libjson-ruby-1.1.2/lib/json/pure/parser.rb
@@ -6,9 +6,11 @@
     # into a Ruby data structure.
     class Parser < StringScanner
       STRING                = /" ((?:[^\x0-\x1f"\\] |
+                                   # escaped special characters:
                                   \\["\\\/bfnrt] |
                                   \\u[0-9a-fA-F]{4} |
-                                  \\[\x20-\xff])*)
+                                   # match all but escaped special characters:
+                                  \\[\x20-\x21\x23-\x2e\x30-\x5b\x5d-\x61\x63-\x65\x67-\x6d\x6f-\x71\x73\x75-\xff])*)
                               "/nx
       INTEGER               = /(-?0|-?[1-9]\d*)/
       FLOAT                 = /(-?

Attachment: signature.asc
Description: Digital signature

Reply to: