From ${URL}: Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len. Upstream Bug: https://bugs.ruby-lang.org/issues/13853 Upstream Patch: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85 CVE Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14064 @maintainer(s), after bump, please follow procedure to stabilize if needed.
This also affects dev-ruby/json. This is fixed in dev-ruby/json-2.1.0 and I have just backported this to dev-ruby/json-1.8.6-r1.
Fixed dev-lang/ruby revisions: dev-lang/ruby-2.2.7-r4 dev-lang/ruby-2.3.4-r4 dev-lang/ruby-2.4.1-r4
An automated check of this bug failed - the following atom is unknown: dev-lang/ruby-2.2.7-r4 Please verify the atom list.
(In reply to Hans de Graaff from comment #2) > Fixed dev-lang/ruby revisions: > > dev-lang/ruby-2.2.7-r4 > dev-lang/ruby-2.3.4-r4 > dev-lang/ruby-2.4.1-r4 Hans, git push?
(In reply to Aaron Bauman from comment #4) > Hans, git push? Yes :-/
ia64 stable
Stable on alpha.
arm stable
ppc64 stable
amd64 tested, ok
(In reply to Christopher Díaz from comment #10) > amd64 tested, ok amd64 stable
This security bug is superseded by bug 631034
Please complete stabilization of =dev-ruby/json-1.8.6-r1 here, and please go to Depends bug for the Ruby!
hppa stable
ppc stable Last arch is done here.
@x86 please test and mark stable dev-ruby/json-1.8.6-r1
This issue was resolved and addressed in GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18 by GLSA coordinator Aaron Bauman (b-man).
