Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-ruby@lists.debian.org
Severity: normal
Hello,
ruby2.3 was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.
Here's the debdiff for stretch-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
diff -Nru ruby2.3-2.3.3/debian/changelog ruby2.3-2.3.3/debian/changelog
--- ruby2.3-2.3.3/debian/changelog 2019-12-15 21:58:25.000000000 +0530
+++ ruby2.3-2.3.3/debian/changelog 2020-06-05 14:25:50.000000000 +0530
@@ -1,3 +1,11 @@
+ruby2.3 (2.3.3-1+deb9u8) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * Add patch to fix unsafe object creation vulnerability.
+ (Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta <utka...@debian.org> Fri, 05 Jun 2020 14:25:50 +0530
+
ruby2.3 (2.3.3-1+deb9u7) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
--- ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch 1970-01-01
05:30:00.000000000 +0530
+++ ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch 2020-06-05
14:25:21.000000000 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Mon, 30 Mar 2020 22:22:10 +0000
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+ backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+ git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta <utka...@debian.org>
+
+--- a/ext/json/parser/parser.c
++++ b/ext/json/parser/parser.c
+@@ -1739,7 +1739,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+- json->create_additions = 1;
++ json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/parser/parser.rl
++++ b/ext/json/parser/parser.rl
+@@ -723,7 +723,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+- json->create_additions = 1;
++ json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby2.3-2.3.3/debian/patches/series
ruby2.3-2.3.3/debian/patches/series
--- ruby2.3-2.3.3/debian/patches/series 2019-12-15 21:58:25.000000000 +0530
+++ ruby2.3-2.3.3/debian/patches/series 2020-06-05 14:25:01.000000000 +0530
@@ -4,3 +4,4 @@
Loop-with-String-scan-without-creating-substrings.patch
WEBrick-prevent-response-splitting-and-header-inject.patch
lib-shell-command-processor.rb-Shell-prevent-unknown.patch
+CVE-2020-10663.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
