I reviewed ruby-json 2.9.1+dfsg-1 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
ruby-json is a ruby implementation of the JSON standard.
- CVE History
- CVE-2013-0269 and CVE-2020-10663 as previously reported
in the previous MIR.
- CVE-2025-27788: Does not affect any current release.
Only affects versions 2.10.0 to 2.10.2.
The latest we have is 2.9.1+dfsg-1.
- project does not have a security policy
- Build-Depends
- debhelper-compat (main)
- gem2deb (universe)
- ruby-test-unit (main)
- ruby-test-unit-ruby-core (universe)
- pre/post inst/rm scripts
- none
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- run at build time
- all autopkgtests are passing as of Aug 7 2025
- cron jobs
- none
- Build logs
- looks good
- Processes spawned
- only on tests, not relevant
- Memory management
- looks good
- File IO
- none
- Logging
- contains calls to dump json to STDOUT
- Environment variable usage
- only in testing and benchmark
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- minor issues in ./debian/repack.sh not relevant to security MIR
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
Upstream added a fuzzer, included in the current version.
Upstream is missing a Security.md file in their github repository.
Security team ACK for promoting ruby-json to main.
** CVE added: https://cve.org/CVERecord?id=CVE-2013-0269
** CVE added: https://cve.org/CVERecord?id=CVE-2020-10663
** CVE added: https://cve.org/CVERecord?id=CVE-2025-27788
** Changed in: ruby-json (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115398
Title:
[MIR] ruby-json
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/2115398/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
