Bug#962256: stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1

Fri, 05 Jun 2020 00:16:26 -0700 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

diff -Nru ruby-json-2.0.1+dfsg/debian/changelog
ruby-json-2.0.1+dfsg/debian/changelog
--- ruby-json-2.0.1+dfsg/debian/changelog    2016-12-06 05:03:24.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/changelog    2020-06-05 12:33:14.000000000 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+    (Fixes: CVE-2020-10663
+
+ -- Utkarsh Gupta <utka...@debian.org>  Fri, 05 Jun 2020 12:33:14 +0530
+
 ruby-json (2.0.1+dfsg-3) unstable; urgency=medium

   * Add Conflicts: ruby-json-pure (Closes: #847141)
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:32:48.000000000 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Mon, 30 Mar 2020 22:22:10 +0000
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+        backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+         securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+        git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta <utka...@debian.org>
+
+--- a/ext/json/ext/parser/parser.c
++++ b/ext/json/ext/parser/parser.c
+@@ -1791,7 +1791,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
++++ b/ext/json/ext/parser/parser.rl
+@@ -686,7 +686,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/series
ruby-json-2.0.1+dfsg/debian/patches/series
--- ruby-json-2.0.1+dfsg/debian/patches/series    2016-12-06
05:03:24.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/series    2020-06-05
12:32:29.000000000 +0530
@@ -1,3 +1,4 @@
 02-fix-fuzz.rb-shebang.patch
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
+CVE-2020-10663.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to