Bug 9048

Summary: [Update Request] Update ruby-json to fix CVE-2013-0269
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: luigiwalser, qa-bugs
Version: 2   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
Whiteboard: feedback
Source RPM: ruby-json-1.5.5-1.mga2 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 6487    

Description Funda Wang 2013-02-12 18:43:44 CET 
There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269.

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system.  Since Ruby symbols are not garbage collected, this can result in a denial of service attack.

The ruby-json package has been updated to latest version 1.5.5 to fix this vulnerability.
David Walser 2013-02-13 19:13:05 CET

Blocks: (none) => 6487

Comment 2 David Walser 2013-02-13 21:46:30 CET 
Upstream says the following:
Versions Affected:  All. This includes JSON that ships with Ruby 1.9.X-pXXX

Funda, is this also bundled with ruby package?

Severity: normal => major

Comment 3 Funda Wang 2013-02-14 11:47:17 CET 
(In reply to comment #2)
> Upstream says the following:
> Versions Affected:  All. This includes JSON that ships with Ruby 1.9.X-pXXX
> 
> Funda, is this also bundled with ruby package?
Yes, it is bundled. But it does not affect our packages. We are not generating any json related packages with ruby source.
Comment 4 claire robinson 2013-02-16 23:44:34 CET 
Adding feedback tag until chiliproject, redmin & teambox are updated

Whiteboard: (none) => feedback

Comment 5 David Walser 2013-02-21 22:04:19 CET 
Ubuntu has issued an advisory for this today (Feburary 21):
http://www.ubuntu.com/usn/usn-1733-1/

from http://lwn.net/Vulnerabilities/539500/
Comment 6 claire robinson 2013-03-20 12:29:24 CET 
$ urpmf --requires `urpmq --whatrequires ruby-json` | grep json\\[==
ruby-json-doc:ruby-json[== 1.5.1-1.mga1]


Shows only ruby-json-doc which is updated in core/updates_testing so we should test and push this separately from ruby-rails.

Whiteboard: feedback => (none)

Comment 7 claire robinson 2013-03-20 15:57:43 CET 
# urpmi ruby-json
A requested package cannot be installed:
ruby-json-1.5.5-1.mga2.x86_64 (due to unsatisfied rubygem(json_pure)[== 1.5.5])

More dependency issues :\

Whiteboard: (none) => feedback

Comment 8 claire robinson 2013-04-17 21:19:34 CEST 
Assigning back to you Funda, sorry. Please reassign to QA when you've had a chance to look at this. Ruby seems generally quite broken though in mga2.

# urpmi ruby-json
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Release")
  ruby-json                      1.5.1        1.mga1        i586
  ruby-json_pure                 1.5.1        1.mga1        noarch
300KB of additional disk space will be used.
86KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

# ecupdt
Enabling Core Updates Testing

# urpmi ruby-json ruby-json_pure
Package ruby-json_pure-1.5.1-1.mga1.noarch is already installed
A requested package cannot be installed:
ruby-json-1.5.5-1.mga2.i586 (due to unsatisfied rubygem(json_pure)[== 1.5.5])
Continue installation anyway? (Y/n) n

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 9 David Walser 2013-11-22 15:58:48 CET 
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Resolution: (none) => OLD
QA Contact: (none) => security