Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
----- Forwarded message from Ryan Niebur <ryan@debian.org> -----
> Date: Sun, 8 Nov 2009 22:50:11 -0800
> From: Ryan Niebur <ryan@debian.org>
> Subject: permission for s-p-u upload for libjson-ruby security issues
> To: debian-release@lists.debian.org
>
> Two security issues. Here's the changelog entry:
>
> libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low
>
> * Security Fix for JSON::Pure::Parser. A specially designed string
> could cause catastrophic backtracking in one of the parser's regular
> expressions. (fixed upstream in version 1.1.7)
> * Use the version of prototype.js from libjs-prototype. The included
> version had a security issue. (Closes: #555224, #555223)
>
> -- Ryan Niebur <ryan@debian.org> Sun, 08 Nov 2009 22:33:47 -0800
>
> Attached is a debdiff.
>
> Okay to upload?
>
> --
> _________________________
> Ryan Niebur
> ryanryan52@gmail.com
> diff -u libjson-ruby-1.1.2/debian/control libjson-ruby-1.1.2/debian/control
> --- libjson-ruby-1.1.2/debian/control
> +++ libjson-ruby-1.1.2/debian/control
> @@ -25,6 +25,7 @@
> Package: libjson-ruby-doc
> Architecture: all
> Section: doc
> +Depends: libjs-prototype
> Description: JSON library for Ruby (documentation)
> This library implements the JSON (JavaScript Object Notation) specification in
> Ruby, allowing the developer to easily convert data between Ruby and JSON. You
> diff -u libjson-ruby-1.1.2/debian/changelog libjson-ruby-1.1.2/debian/changelog
> --- libjson-ruby-1.1.2/debian/changelog
> +++ libjson-ruby-1.1.2/debian/changelog
> @@ -1,3 +1,13 @@
> +libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low
> +
> + * Security Fix for JSON::Pure::Parser. A specially designed string
> + could cause catastrophic backtracking in one of the parser's regular
> + expressions. (fixed upstream in version 1.1.7)
> + * Use the version of prototype.js from libjs-prototype. The included
> + version had a security issue. (Closes: #555224, #555223)
> +
> + -- Ryan Niebur <ryan@debian.org> Sun, 08 Nov 2009 22:33:47 -0800
> +
> libjson-ruby (1.1.2-1) unstable; urgency=low
>
> [ Paul van Tilburg ]
> diff -u libjson-ruby-1.1.2/debian/rules libjson-ruby-1.1.2/debian/rules
> --- libjson-ruby-1.1.2/debian/rules
> +++ libjson-ruby-1.1.2/debian/rules
> @@ -7,6 +7,11 @@
> BASEDIR = `pwd`/debian
> DEB_INSTALL_MANPAGES_edit-json = debian/edit_json.1 debian/prettify_json.1
>
> +binary-install/libjson-ruby-doc::
> + rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js
> + ln -s /usr/share/javascript/prototype/prototype.js $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js
> + dh_link -plibjson-ruby-doc
> +
> install/libjson-ruby1.8::
> # remove files already installed in edit-json package
> rm -r $(BASEDIR)/libjson-ruby1.8/usr/bin
> only in patch2:
> unchanged:
> --- libjson-ruby-1.1.2.orig/lib/json/pure/parser.rb
> +++ libjson-ruby-1.1.2/lib/json/pure/parser.rb
> @@ -6,9 +6,11 @@
> # into a Ruby data structure.
> class Parser < StringScanner
> STRING = /" ((?:[^\x0-\x1f"\\] |
> + # escaped special characters:
> \\["\\\/bfnrt] |
> \\u[0-9a-fA-F]{4} |
> - \\[\x20-\xff])*)
> + # match all but escaped special characters:
> + \\[\x20-\x21\x23-\x2e\x30-\x5b\x5d-\x61\x63-\x65\x67-\x6d\x6f-\x71\x73\x75-\xff])*)
> "/nx
> INTEGER = /(-?0|-?[1-9]\d*)/
> FLOAT = /(-?
----- End forwarded message -----
--
_________________________
Ryan Niebur
ryanryan52@gmail.com
Attachment:
signature.asc
Description: Digital signature