Your message dated Tue, 12 Feb 2013 23:33:34 +0000 with message-id <e1u5ply-0000yy...@franck.debian.org> and subject line Bug#700436: fixed in ruby-json 1.7.3-3 has caused the Debian Bug report #700436, regarding Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700436 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ruby-json Version: 1.7.3-2,1.6.1-1~bpo60+1 Severity: critical Tags: security patch https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58 Denial of Service and Unsafe Object Creation Vulnerability in JSON There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269. Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX. Not affected: NONE Fixed Versions: 1.7.7, 1.6.8, 1.5.5 Impact ------ When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. Impacted code looks like this: JSON.parse(user_input) Where the `user_input` variable will have a JSON document like this: {"json_class":"foo"} The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol. In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this: {"json_class":"JSON::GenericObject","foo":"bar"} This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures. PLEASE NOTE: this behavior *does not change* when using `JSON.load`. `JSON.load` should *never* be given input from unknown sources. If you are processing JSON from an unknown source, *always* use `JSON.parse`. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- For users that cannot upgrade, please use the attached patches. If you cannot use the attached patches, change your code from this: JSON.parse(json) To this: JSON.parse(json, :create_additions => false) If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch: module JSON class << self alias :old_parse :parse def parse(json, args = {}) args[:create_additions] = false old_parse(json, args) end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the three supported release series. They are in git-am format and consist of a single changeset. * 1-7-VULN.patch - Patch for the 1.7 series * 1-6-VULN.patch - Patch for the 1.6 series * 1-5-VULN.patch - Patch for the 1.5 series Credits ------- A huge thanks goes to the following people for responsibly disclosing this issue and working with the Rails team to get it fixed: * Thomas Hollstegge of Zweitag (www.zweitag.de) * Ben Murphy -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: ruby-json Source-Version: 1.7.3-3 We believe that the bug you reported is fixed in the latest version of ruby-json, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier <cedric.boutill...@gmail.com> (supplier of updated ruby-json package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Feb 2013 23:14:48 +0100 Source: ruby-json Binary: ruby-json libjson-ruby libjson-ruby-doc libjson-ruby1.8 Architecture: source amd64 all Version: 1.7.3-3 Distribution: unstable Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Cédric Boutillier <cedric.boutill...@gmail.com> Description: libjson-ruby - Transitional package for ruby-json libjson-ruby-doc - Transitional package for ruby-json libjson-ruby1.8 - Transitional package for ruby-json ruby-json - JSON library for Ruby Closes: 700436 Changes: ruby-json (1.7.3-3) unstable; urgency=high . * set urgency to high, as a security bug is fixed. * Add 10-fix-CVE-2013-0269.patch, adapted from upstream to fix denial of service and unsafe object creation vulnerability. [CVE-2013-0269] (Closes: #700436). Checksums-Sha1: dd799d3fd0843bd48936dba2bd794dec64ab14bf 2266 ruby-json_1.7.3-3.dsc ed67a0385da8cceeeb24cd70238184c7e1973d43 10245 ruby-json_1.7.3-3.debian.tar.gz 5ee24aedc28eaa06a90a984e0bd32efe80331124 78486 ruby-json_1.7.3-3_amd64.deb 39032af8cb69363f54417cd2b84318ed68102d1d 11706 libjson-ruby_1.7.3-3_all.deb 6827b095f4905f53e41fed9214a717fbfff40f0d 11708 libjson-ruby-doc_1.7.3-3_all.deb f01b46762b06f40c8c11cd8a6f176f51c5cf0695 11708 libjson-ruby1.8_1.7.3-3_all.deb Checksums-Sha256: 5b202600b372e935314e0ef7eba0fc5cd40f73d265a66b951e1777180223a805 2266 ruby-json_1.7.3-3.dsc 0233cfc6a598aee18b35b0ed1f3300a323f25e2cef32ce695f63d698d4b748b5 10245 ruby-json_1.7.3-3.debian.tar.gz a86dd62a50b10c46ffde36b2acd5c44bd11e3c33bffd9ab4c85b544c3f7e6b16 78486 ruby-json_1.7.3-3_amd64.deb decf985dc069c88280280328024b3332f538aed11315b5e34970842ebfec67b4 11706 libjson-ruby_1.7.3-3_all.deb 5ca211ab7e73cda8781ed4c340eef1349501ae40358acd032eda31ba602a4d83 11708 libjson-ruby-doc_1.7.3-3_all.deb cc0ccab5b82aa1530431eac48ee4321295e190cec570538615b661c45311d087 11708 libjson-ruby1.8_1.7.3-3_all.deb Files: e2dda58af9c4022e4fdd77d1f4236cf9 2266 ruby optional ruby-json_1.7.3-3.dsc b6d781a3384ff1845c0d710d6d91be36 10245 ruby optional ruby-json_1.7.3-3.debian.tar.gz fe65c442f860add7ba2dc2b940a82268 78486 ruby optional ruby-json_1.7.3-3_amd64.deb 2040718ab88d402219fd004be94ebda6 11706 oldlibs extra libjson-ruby_1.7.3-3_all.deb 306a554141d88e0fbf4b16fe67b92b21 11708 oldlibs extra libjson-ruby-doc_1.7.3-3_all.deb cad8310c7437cf347ead8872fa2b373d 11708 oldlibs extra libjson-ruby1.8_1.7.3-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRGsyJAAoJENpJWPYR4UnpfvkP/01/zDlIsZCb81WleZo2FD8I d0j/g3MZ/Sic0Cjq6OwSWSnosVI6CdCLlHKGGy0ansM2ElZuik84ebV6m8r7rTb+ /z1ZEi7RLcqVVzJrrSRLv7JmpeW1DWSWYH1kqNXfbZH3kgQ1//ijPB7/trmva2eN Au4dbMWcHc/jJC9M6zrJZq72Sxvx8hUr0or3m1pXZh+f8qAQH85Tyw6YIQyU4u5k /dlzs9TwYZRmGz08gSu07NDuD91QV7Fa1Xa2ilFVVu4+hS6mpZCM2JhtHzW7nG9Y ht59ltHzIWi39PHFs9VBUAb6iLeY3EDmoJfxGk/b9nvOOOIW1IjdEsWSXzpsmG+z Y6b3TPlgw5K9xNleq24j9NSM2FANvxdeSFRtV0A2ZG2f6llXWF9RtBbwpN2KsBTC cbTX1VN4Lwsj/0in2feArvPNu+13ApOqKN1vlXdVT+FH9BaaIDxLmlq5T3FA5oZ2 y7mozAbrbxMhGbvGlN/0ZbL6nhZbwLdOn0DPIoSqiE3e/cpNLQG705dpysa5IrLG GjSNK/cwUg+thN9xKCGr8L2rvHHgc1mOMACbyalUAi7HXC4F8lgAw9/rdt9wJ9Qp sSPMbtB9ETC43pc8nt69DBLaSFMvoKl8Ui02nKPFq9ro0ZY4vJ2Ng2Wzi3C017Ye b1nxmxacvtcI/HWo9lg5 =TwSv -----END PGP SIGNATURE-----
--- End Message ---
