Control: tags 880691 + patch Control: tags 880691 + pending Dear maintainer,
I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ruby-yajl-1.2.0/debian/changelog ruby-yajl-1.2.0/debian/changelog --- ruby-yajl-1.2.0/debian/changelog 2015-07-08 16:51:23.000000000 +0200 +++ ruby-yajl-1.2.0/debian/changelog 2017-11-08 07:31:37.000000000 +0100 @@ -1,3 +1,11 @@ +ruby-yajl (1.2.0-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2017-16516: Crafted JSON file allows to crash ruby process with a + SIGABRT in the yajl_string_decode function (Closes: #880691) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 08 Nov 2017 07:31:37 +0100 + ruby-yajl (1.2.0-3) unstable; urgency=medium [ Balasankar C ] diff -Nru ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch --- ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch 2017-11-08 07:31:37.000000000 +0100 @@ -0,0 +1,52 @@ +From: Brian Lopez <seniorlo...@gmail.com> +Date: Mon, 6 Nov 2017 21:46:42 -0800 +Subject: Don't advance our end pointer until we've checked we have enough + buffer left and have peeked ahead to see that a unicode escape is + approaching. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug: https://github.com/brianmario/yajl-ruby/issues/176 +Bug-Debian: https://bugs.debian.org/880691 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16516 + +Thanks @kivikakk for helping me track down the actual bug here! +--- + ext/yajl/yajl_encode.c | 4 ++-- + spec/parsing/one_off_spec.rb | 7 +++++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/ext/yajl/yajl_encode.c b/ext/yajl/yajl_encode.c +index 8535c1b..716ddde 100644 +--- a/ext/yajl/yajl_encode.c ++++ b/ext/yajl/yajl_encode.c +@@ -162,8 +162,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str, + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +- end++; +- if (str[end] == '\\' && str[end + 1] == 'u') { ++ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++ end++; + unsigned int surrogate = 0; + hexToDigit(&surrogate, str + end + 2); + codepoint = +diff --git a/spec/parsing/one_off_spec.rb b/spec/parsing/one_off_spec.rb +index 9bc6b32..f1a8aea 100644 +--- a/spec/parsing/one_off_spec.rb ++++ b/spec/parsing/one_off_spec.rb +@@ -2,6 +2,13 @@ + require File.expand_path(File.dirname(__FILE__) + '/../spec_helper.rb') + + describe "One-off JSON examples" do ++ it "should not blow up with a bad surrogate trailer" do ++ # https://github.com/brianmario/yajl-ruby/issues/176 ++ bad_json = "{\"e\":{\"\\uD800\\\\DC00\":\"a\"}}" ++ ++ Yajl::Parser.new.parse(bad_json) ++ end ++ + it "should parse 23456789012E666 and return Infinity" do + infinity = (1.0/0) + silence_warnings do +-- +2.15.0 + diff -Nru ruby-yajl-1.2.0/debian/patches/series ruby-yajl-1.2.0/debian/patches/series --- ruby-yajl-1.2.0/debian/patches/series 2015-07-08 16:47:52.000000000 +0200 +++ ruby-yajl-1.2.0/debian/patches/series 2017-11-08 07:31:37.000000000 +0100 @@ -1,2 +1,3 @@ mocks-test-fix RSpec3-test-fix +Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
