Upstream has issued an advisory on March 19: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ The issue is fixed upstream in 2.3.0.
Status comment: (none) => Fixed upstream in 2.3.0
Debian-LTS has issued an advisory for this today (April 28): https://www.debian.org/lts/security/2020/dla-2190
Packages updated to 7/core/updates_testing: ruby-json-2.1.0-3.1.mga7.src.rpm ruby-json-2.1.0-3.1.mga7.*.rpm ruby-json-doc-2.1.0-3.1.mga7.noarch.rpm The fix looks simple and safe but I don't know how to reproduce/test the vulnerability :(
Advisory: ======================== Updated ruby-json packages fix security vulnerability: In ruby-json before 2.3.0, there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system (CVE-2020-10663). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663 https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ https://www.debian.org/lts/security/2020/dla-2190
Status comment: Fixed upstream in 2.3.0 => (none)Assignee: pterjan => qa-bugsCC: (none) => pterjan
mga7, x86_64 If I read the discussion around CVE-2020-10663 correctly, writing vulnerable code for ruby-json does not provide a demonstrable result like DoS or a segfault so there is no point in pursuing a proof of concept. Installed the updated packages: ruby-json-2.1.0-3.1.mga7.x86_64 ruby-json-doc-2.1.0-3.1.mga7.noarch Referred to the ruby manual for examples of use. $ irb $ irb irb(main):001:0> require 'json' => true irb(main):002:0> record = { name: "Suzy", address: [ "EH16", "Scotland" ], age: 22 } => {:name=>"Suzy", :address=>["EH16", "Scotland"], :age=>22} irb(main):003:0> serialized = record.to_json => "{\"name\":\"Suzy\",\"address\":[\"EH16\",\"Scotland\"],\"age\":22}" irb(main):004:0> File.open( "record", "w" ) { |file| file.puts serialized } => nil irb(main):005:0> exit $ ll -rw-r--r-- 1 lcl lcl 55 Apr 30 12:41 record $ irb irb(main):001:0> require 'json' => true irb(main):002:0> serialized = File.read( "record" ) => "{\"name\":\"Suzy\",\"address\":[\"EH16\",\"Scotland\"],\"age\":22}\n" irb(main):003:0> record = JSON.parse( serialized ) => {"name"=>"Suzy", "address"=>["EH16", "Scotland"], "age"=>22} irb(main):004:0> puts record["address"] EH16 Scotland => nil < and demonstrating shorthand output options > irb(main):005:0> puts "Regular" Regular => nil irb(main):006:0> irb(main):007:0> j record {"name":"Suzy","address":["EH16","Scotland"],"age":22} => nil irb(main):008:0> puts "Prettyprint" Prettyprint => nil irb(main):009:0> jj record { "name": "Suzy", "address": [ "EH16", "Scotland" ], "age": 22 } => nil $ urpmq --whatrequires-recursive ruby-json | sort -u > customers $ lines customers 617 $ grep ruby customers | wc -l 599 So most of the dependent applications are ruby programs or gems. $ head customers facter flvtool2 flvtool2-doc geoipgen haste-client hub hub-doc ice-ruby ice-ruby-devel puppet $ tail customers syntastic-haml syntastic-puppet syntastic-ruby syntastic-sass texlive-context vagrant vagrant-doc wafp xapian-bindings-ruby yum-plugin-puppetverify $ sudo urpmi facter $ facter architecture => x86_64 blockdevice_sda_model => KINGSTON SV300S3 blockdevice_sda_size => 240057409536 blockdevice_sda_vendor => ATA blockdevice_sdb_model => Samsung SSD 850 blockdevice_sdb_size => 500107862016 [...] timezone => BST uniqueid => a8c06701 uptime => 7 days uptime_days => 7 uptime_hours => 171 uptime_seconds => 617060 virtual => physical Giving this an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0186.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED