[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#962255: marked as done (buster-pu: package ruby-json/2.1.0+dfsg-2+deb10u1)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #962255,
regarding buster-pu: package ruby-json/2.1.0+dfsg-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
962255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962255
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for buster-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

diff -Nru ruby-json-2.1.0+dfsg/debian/changelog
ruby-json-2.1.0+dfsg/debian/changelog
--- ruby-json-2.1.0+dfsg/debian/changelog    2018-02-25 23:03:06.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/changelog    2020-06-05 12:13:54.000000000 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.1.0+dfsg-2+deb10u1) buster; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+    (Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Fri, 05 Jun 2020 12:13:54 +0530
+
 ruby-json (2.1.0+dfsg-2) unstable; urgency=medium

   * Team upload.
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:12:56.000000000 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Mon, 30 Mar 2020 22:22:10 +0000
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+        backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+         securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+        git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta <utkarsh@debian.org>
+
+--- a/ext/json/ext/parser/parser.c
++++ b/ext/json/ext/parser/parser.c
+@@ -1815,7 +1815,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
++++ b/ext/json/ext/parser/parser.rl
+@@ -710,7 +710,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/series
ruby-json-2.1.0+dfsg/debian/patches/series
--- ruby-json-2.1.0+dfsg/debian/patches/series    2018-02-25
23:03:06.000000000 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/series    2020-06-05
12:09:39.000000000 +0530
@@ -2,3 +2,4 @@
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
 0006-Disable-git-usage-during-build-time.patch
+CVE-2020-10663.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: