Bug 26408

Debian-LTS has issued an advisory for this today (April 28):
https://www.debian.org/lts/security/2020/dla-2190

Packages updated to 7/core/updates_testing:

ruby-json-2.1.0-3.1.mga7.src.rpm
ruby-json-2.1.0-3.1.mga7.*.rpm
ruby-json-doc-2.1.0-3.1.mga7.noarch.rpm

The fix looks simple and safe but I don't know how to reproduce/test the vulnerability :(

Advisory:
========================

Updated ruby-json packages fix security vulnerability:

In ruby-json before 2.3.0, there is an unsafe object creation vulnerability.
When parsing certain JSON documents, the json gem can be coerced into creating
arbitrary objects in the target system (CVE-2020-10663).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
https://www.debian.org/lts/security/2020/dla-2190

Status comment: Fixed upstream in 2.3.0 => (none)
Assignee: pterjan => qa-bugs
CC: (none) => pterjan

mga7, x86_64

If I read the discussion around CVE-2020-10663 correctly, writing vulnerable code for ruby-json does not provide a demonstrable result like DoS or a segfault so there is no point in pursuing a proof of concept.

Installed the updated packages:
ruby-json-2.1.0-3.1.mga7.x86_64
ruby-json-doc-2.1.0-3.1.mga7.noarch

Referred to the ruby manual for examples of use.

$ irb
$ irb
irb(main):001:0> require 'json'
=> true
irb(main):002:0> record = { name: "Suzy", address: [ "EH16", "Scotland" ], age: 22 }
=> {:name=>"Suzy", :address=>["EH16", "Scotland"], :age=>22}
irb(main):003:0> serialized = record.to_json
=> "{\"name\":\"Suzy\",\"address\":[\"EH16\",\"Scotland\"],\"age\":22}"
irb(main):004:0> File.open( "record", "w" ) { |file| file.puts serialized }
=> nil
irb(main):005:0> exit
$ ll
-rw-r--r-- 1 lcl lcl      55 Apr 30 12:41  record
$ irb
irb(main):001:0> require 'json'
=> true
irb(main):002:0> serialized = File.read( "record" )
=> "{\"name\":\"Suzy\",\"address\":[\"EH16\",\"Scotland\"],\"age\":22}\n"
irb(main):003:0> record = JSON.parse( serialized )
=> {"name"=>"Suzy", "address"=>["EH16", "Scotland"], "age"=>22}
irb(main):004:0> puts record["address"]
EH16
Scotland
=> nil

< and demonstrating shorthand output options >

irb(main):005:0> puts "Regular"
Regular
=> nil
irb(main):006:0> 
irb(main):007:0> j record
{"name":"Suzy","address":["EH16","Scotland"],"age":22}
=> nil
irb(main):008:0> puts "Prettyprint"
Prettyprint
=> nil
irb(main):009:0> jj record
{
  "name": "Suzy",
  "address": [
    "EH16",
    "Scotland"
  ],
  "age": 22
}
=> nil

$ urpmq --whatrequires-recursive ruby-json | sort -u > customers
$ lines customers
617
$ grep ruby customers | wc -l
599
So most of the dependent applications are ruby programs or gems.
$ head customers
facter
flvtool2
flvtool2-doc
geoipgen
haste-client
hub
hub-doc
ice-ruby
ice-ruby-devel
puppet
$ tail customers
syntastic-haml
syntastic-puppet
syntastic-ruby
syntastic-sass
texlive-context
vagrant
vagrant-doc
wafp
xapian-bindings-ruby
yum-plugin-puppetverify

$ sudo urpmi facter
$ facter
architecture => x86_64
blockdevice_sda_model => KINGSTON SV300S3
blockdevice_sda_size => 240057409536
blockdevice_sda_vendor => ATA
blockdevice_sdb_model => Samsung SSD 850
blockdevice_sdb_size => 500107862016
[...]
timezone => BST
uniqueid => a8c06701
uptime => 7 days
uptime_days => 7
uptime_hours => 171
uptime_seconds => 617060
virtual => physical

Giving this an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0186.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED