Your message dated Wed, 13 Feb 2013 16:18:32 +0000 with message-id <e1u5f2w-0000xs...@franck.debian.org> and subject line Bug#700471: fixed in ruby1.9.1 1.9.3.194-7 has caused the Debian Bug report #700471, regarding Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700471: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700471 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ruby-json Version: 1.7.3-2,1.6.1-1~bpo60+1 Severity: critical Tags: security patch https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58 Denial of Service and Unsafe Object Creation Vulnerability in JSON There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269. Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX. Not affected: NONE Fixed Versions: 1.7.7, 1.6.8, 1.5.5 Impact ------ When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. Impacted code looks like this: JSON.parse(user_input) Where the `user_input` variable will have a JSON document like this: {"json_class":"foo"} The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol. In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this: {"json_class":"JSON::GenericObject","foo":"bar"} This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures. PLEASE NOTE: this behavior *does not change* when using `JSON.load`. `JSON.load` should *never* be given input from unknown sources. If you are processing JSON from an unknown source, *always* use `JSON.parse`. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- For users that cannot upgrade, please use the attached patches. If you cannot use the attached patches, change your code from this: JSON.parse(json) To this: JSON.parse(json, :create_additions => false) If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch: module JSON class << self alias :old_parse :parse def parse(json, args = {}) args[:create_additions] = false old_parse(json, args) end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the three supported release series. They are in git-am format and consist of a single changeset. * 1-7-VULN.patch - Patch for the 1.7 series * 1-6-VULN.patch - Patch for the 1.6 series * 1-5-VULN.patch - Patch for the 1.5 series Credits ------- A huge thanks goes to the following people for responsibly disclosing this issue and working with the Rails team to get it fixed: * Thomas Hollstegge of Zweitag (www.zweitag.de) * Ben Murphy -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: ruby1.9.1 Source-Version: 1.9.3.194-7 We believe that the bug you reported is fixed in the latest version of ruby1.9.1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier <bou...@debian.org> (supplier of updated ruby1.9.1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 13 Feb 2013 14:56:19 +0100 Source: ruby1.9.1 Binary: ruby1.9.1 libruby1.9.1 libruby1.9.1-dbg ruby1.9.1-dev libtcltk-ruby1.9.1 ruby1.9.1-examples ri1.9.1 ruby1.9.1-full ruby1.9.3 Architecture: source all amd64 Version: 1.9.3.194-7 Distribution: unstable Urgency: high Maintainer: akira yamada <ak...@debian.org> Changed-By: Cédric Boutillier <bou...@debian.org> Description: libruby1.9.1 - Libraries necessary to run Ruby 1.9.1 libruby1.9.1-dbg - Debugging symbols for Ruby 1.9.1 libtcltk-ruby1.9.1 - Tcl/Tk interface for Ruby 1.9.1 ri1.9.1 - Ruby Interactive reference (for Ruby 1.9.1) ruby1.9.1 - Interpreter of object-oriented scripting language Ruby ruby1.9.1-dev - Header files for compiling extension modules for the Ruby 1.9.1 ruby1.9.1-examples - Examples for Ruby 1.9 ruby1.9.1-full - Ruby 1.9.1 full installation ruby1.9.3 - Interpreter of object-oriented scripting language Ruby, version 1 Closes: 700471 Changes: ruby1.9.1 (1.9.3.194-7) unstable; urgency=high . * debian/patches/CVE-2013-0269.patch: fix possible denial of service and unsafe object creation vulnerability in JSON (Closes: #700471) Checksums-Sha1: 093dca7f8fb41127d07821114a5f3b2d107f745f 2634 ruby1.9.1_1.9.3.194-7.dsc a12959604fb17488d9570446ed1ccb2cee0399c7 61852 ruby1.9.1_1.9.3.194-7.debian.tar.gz 193d82e84b4184d37a37ad32b4ecbcb5cba807ee 232924 ruby1.9.1-examples_1.9.3.194-7_all.deb b31487153b0969307c141c14827c67b1e62a59be 2169604 ri1.9.1_1.9.3.194-7_all.deb 3dbd56efbdfd145b4384c825f56895ea439444bb 171114 ruby1.9.1-full_1.9.3.194-7_all.deb 8b261df31c319dceed26c3944a336fea2b03c117 171706 ruby1.9.3_1.9.3.194-7_all.deb 6c97de5cb4daaad9e58b91b778eb152fb928a579 208232 ruby1.9.1_1.9.3.194-7_amd64.deb 80f44c4624ba58d166514e987a01b5435efc465e 4409768 libruby1.9.1_1.9.3.194-7_amd64.deb f9aa3a6d97fecdbb20daa57465a7ea15dbab61f3 4591588 libruby1.9.1-dbg_1.9.3.194-7_amd64.deb 9ff2cf0076b7daee621a3b2c63eecd2c64f731ec 1383510 ruby1.9.1-dev_1.9.3.194-7_amd64.deb dec21d4d24065d44eca78d4dbf1297fbda9d3b2e 2496316 libtcltk-ruby1.9.1_1.9.3.194-7_amd64.deb Checksums-Sha256: 92ebff47d499c6335bbb97213cf5f389a1f50e32b71facc2e6a5c8f3a2ac7da4 2634 ruby1.9.1_1.9.3.194-7.dsc 5524077911f02292ea617ef10701a4fb51ba9c6612765c39face857f736570c9 61852 ruby1.9.1_1.9.3.194-7.debian.tar.gz 1e46eb2cf747ea33f18133370e73c5ae056cc75aae3c7235bbb58a50e24ba134 232924 ruby1.9.1-examples_1.9.3.194-7_all.deb a4f2445382e643e05c4fe7d7f9d56c52b5f36dee24b94044c31583890f5f6688 2169604 ri1.9.1_1.9.3.194-7_all.deb f08870482646fad1a7ca8fbf06790bec13745aca14c37794ef69cf0ac86efbb9 171114 ruby1.9.1-full_1.9.3.194-7_all.deb c45def3f47f2abaa35f5b4de8aa11761f798c02ed90be2258bc7905968b314b8 171706 ruby1.9.3_1.9.3.194-7_all.deb 7f71ce8d9be5e33fcd16cbbc6ad67ed2e15e9cf0fe78f589738c2694f9a168fd 208232 ruby1.9.1_1.9.3.194-7_amd64.deb dc2459a70c7de5cf0199038dc282b2f97f97c5322662aedd1666b3bd3338cd4e 4409768 libruby1.9.1_1.9.3.194-7_amd64.deb 99cf2cbe2e5d514a84367b83b7dc4d1463f3f5fbb8c56cecf90ef5dff9d3a9c1 4591588 libruby1.9.1-dbg_1.9.3.194-7_amd64.deb 2aeacc83ad5b9f8af4b962cdd65682351c70b80f3159b3da962686feadfc13c4 1383510 ruby1.9.1-dev_1.9.3.194-7_amd64.deb 2476a5dae0fde3f8da116926e9a6708f43189358f752a751559120ae230e0be8 2496316 libtcltk-ruby1.9.1_1.9.3.194-7_amd64.deb Files: 9f498a7a27ef5b219c75beb8a54152c5 2634 ruby optional ruby1.9.1_1.9.3.194-7.dsc 2e592ae058f6d99a6e7294f341180e6f 61852 ruby optional ruby1.9.1_1.9.3.194-7.debian.tar.gz 56ace2cc92e56e5daa0e9da199f20342 232924 ruby optional ruby1.9.1-examples_1.9.3.194-7_all.deb d5720ba1028634de3cf6752daf459634 2169604 ruby optional ri1.9.1_1.9.3.194-7_all.deb b8976d7c2fe8601e0d03cc774b69a6f1 171114 ruby optional ruby1.9.1-full_1.9.3.194-7_all.deb 7ff8115450f5eccae4a6f67f2a30ad49 171706 ruby optional ruby1.9.3_1.9.3.194-7_all.deb 042621944ea84edd642758fc54f71e46 208232 ruby optional ruby1.9.1_1.9.3.194-7_amd64.deb 1387f7c47763340e7c46dffa02b085de 4409768 libs optional libruby1.9.1_1.9.3.194-7_amd64.deb a5c119227f8c6ee57430e1e75ba01dec 4591588 debug extra libruby1.9.1-dbg_1.9.3.194-7_amd64.deb 32a46f309d594fc190d6f196a0cf680f 1383510 ruby optional ruby1.9.1-dev_1.9.3.194-7_amd64.deb 5563ff5908598dbf3bb802e5d52e5bb5 2496316 ruby optional libtcltk-ruby1.9.1_1.9.3.194-7_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRG7lbAAoJENpJWPYR4UnpSwAP/2VHhUxTsBZPjp3uu/DZWYr6 vp/xfd+e1bHui9QI08SFVV16d04QDTtqcF5ZDsMLvaMcR4vjRt4hGAVX40YWSdG+ wmO47MM7MisCk5J2Vo2w36Jt9tV756Wk4RzqMr7qpGM24IGZOg4zJvvlDspROSo1 ywmAvtxjUPW1fMfV/Y4YfxqaIsGrfw2Puz/lHPT7GFptbKsXh53/BFeRIig2/xNf zFzj3LW82FTeUnpNY17IrqIkVuoaQIFzdTsSRgHG9OzqiYGQdajQoU93KIMSkxWV Fmy+YP8a9NmHDOLCrhWF6PgqvTuIELm9Jt0C5pef75T46FfNtqBg4/Wu/qy/pBbi 7r9NP8qvUgaCZuMI6nPuwTZpJuX3H66PeUD8X0OtHNUQtzc9QwFS/ivYpUk1/ELl GRpzyIVoRelCLzOpFN7CetmlUADCitU+N0cEPG50EwbFDiTNrZf8QSMTK78u8iVU G2biBikysNsTyzARS+bCD0NCeVeXK2N7KdYWshFPkWC9H7TlsSN3eVtTcz9TmlB7 55kioMzMO3f/HCA+O8S6z3OgQFd1a6DgGJ+LfnAM2X4Q65VVI9Ragn5lL5weqAQC xHHRcgGY4nptTvoQuz2h+TEIui59vj98qWUoHbIIBAX/DZ31bGOZH7ehBJ/M3+/Y pXe+IGGqZXJwNa2xLB4Z =JYkt -----END PGP SIGNATURE-----
--- End Message ---
