CVE-2017-16516 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16516): In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service. References: https://github.com/brianmario/yajl-ruby/issues/176 https://rubygems.org/gems/yajl-ruby
We will wait for an upstream fix.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5171d48f94f79e2a8c7eecd21a5917416eb9d9a commit e5171d48f94f79e2a8c7eecd21a5917416eb9d9a Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2017-11-08 06:36:26 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2017-11-08 06:36:43 +0000 dev-ruby/yajl-ruby: add 1.3.1, fixing bug 636474 Bug: https://bugs.gentoo.org/636474 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-ruby/yajl-ruby/Manifest | 1 + dev-ruby/yajl-ruby/yajl-ruby-1.3.1.ebuild | 45 +++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+)}
Please test and mark 1.3.1 stable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cf203c0967df5bfc083532dc953d543b74e840a commit 2cf203c0967df5bfc083532dc953d543b74e840a Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-06 14:25:58 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-06 14:26:20 +0000 dev-ruby/yajl-ruby: amd64 stable Bug: https://bugs.gentoo.org/636474 Package-Manager: Portage-2.3.28, Repoman-2.3.9 dev-ruby/yajl-ruby/yajl-ruby-1.3.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
ia64 stable
x86 stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=739f624bb8ef4251299f831e7e3eacd3ef7baa92 commit 739f624bb8ef4251299f831e7e3eacd3ef7baa92 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 19:46:56 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:20:19 +0000 dev-ruby/yajl-ruby: stable 1.3.1 for ppc64, bug #636474 Bug: https://bugs.gentoo.org/636474 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-ruby/yajl-ruby/yajl-ruby-1.3.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ppc stable
Sparc done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b03eebfb5f8b07b94873d1ca9a7bdc4f19439e41 commit b03eebfb5f8b07b94873d1ca9a7bdc4f19439e41 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-07-13 14:41:32 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-13 18:46:06 +0000 dev-ruby/yajl-ruby: stable 1.3.1 for sparc Bug: https://bugs.gentoo.org/636474 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="sparc" dev-ruby/yajl-ruby/yajl-ruby-1.3.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Cleanup done.
Thank you. Waiting to see if this is good for a glsa. Michael Boyle Gentoo Security Padawan
GLSA Vote: No Thank you all for you work. Closing as [noglsa]
