Bug#962256: marked as done (stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1)

Debian Bug Tracking System Sat, 18 Jul 2020 05:15:02 -0700

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962256,
regarding stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

diff -Nru ruby-json-2.0.1+dfsg/debian/changelog
ruby-json-2.0.1+dfsg/debian/changelog
--- ruby-json-2.0.1+dfsg/debian/changelog    2016-12-06 05:03:24.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/changelog    2020-06-05 12:33:14.000000000 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+    (Fixes: CVE-2020-10663
+
+ -- Utkarsh Gupta <utka...@debian.org>  Fri, 05 Jun 2020 12:33:14 +0530
+
 ruby-json (2.0.1+dfsg-3) unstable; urgency=medium

   * Add Conflicts: ruby-json-pure (Closes: #847141)
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:32:48.000000000 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Mon, 30 Mar 2020 22:22:10 +0000
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+        backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+         securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+        git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta <utka...@debian.org>
+
+--- a/ext/json/ext/parser/parser.c
++++ b/ext/json/ext/parser/parser.c
+@@ -1791,7 +1791,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
++++ b/ext/json/ext/parser/parser.rl
+@@ -686,7 +686,7 @@
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/series
ruby-json-2.0.1+dfsg/debian/patches/series
--- ruby-json-2.0.1+dfsg/debian/patches/series    2016-12-06
05:03:24.000000000 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/series    2020-06-05
12:32:29.000000000 +0530
@@ -1,3 +1,4 @@
 02-fix-fuzz.rb-shebang.patch
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
+CVE-2020-10663.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---

Bug#962256: marked as done (stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1)

Reply via email to