Bug#962255: buster-pu: package ruby-json/2.1.0+dfsg-2+deb10u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal
Hello,
ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.
Here's the debdiff for buster-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
diff -Nru ruby-json-2.1.0+dfsg/debian/changelog
ruby-json-2.1.0+dfsg/debian/changelog
--- ruby-json-2.1.0+dfsg/debian/changelog 2018-02-25 23:03:06.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/changelog 2020-06-05 12:13:54.000000000 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.1.0+dfsg-2+deb10u1) buster; urgency=high
+
+ * Add patch to fix unsafe object creation vulnerability.
+ (Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Fri, 05 Jun 2020 12:13:54 +0530
+
ruby-json (2.1.0+dfsg-2) unstable; urgency=medium
* Team upload.
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:12:56.000000000 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Mon, 30 Mar 2020 22:22:10 +0000
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+ backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+ git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta <utkarsh@debian.org>
+
+--- a/ext/json/ext/parser/parser.c
++++ b/ext/json/ext/parser/parser.c
+@@ -1815,7 +1815,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+- json->create_additions = 1;
++ json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
++++ b/ext/json/ext/parser/parser.rl
+@@ -710,7 +710,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+- json->create_additions = 1;
++ json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/series
ruby-json-2.1.0+dfsg/debian/patches/series
--- ruby-json-2.1.0+dfsg/debian/patches/series 2018-02-25
23:03:06.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/series 2020-06-05
12:09:39.000000000 +0530
@@ -2,3 +2,4 @@
04-fix-tests-path.patch
0003-Remove-additional-gemspec-files.patch
0006-Disable-git-usage-during-build-time.patch
+CVE-2020-10663.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: