Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
Upstream Bug: https://bugs.ruby-lang.org/issues/13853
Upstream Patch: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85
CVE Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14064
@maintainer(s), after bump, please follow procedure to stabilize if needed.
This also affects dev-ruby/json. This is fixed in dev-ruby/json-2.1.0 and I have just backported this to dev-ruby/json-1.8.6-r1.
Fixed dev-lang/ruby revisions:
An automated check of this bug failed - the following atom is unknown:
Please verify the atom list.
(In reply to Hans de Graaff from comment #2)
> Fixed dev-lang/ruby revisions:
Hans, git push?
(In reply to Aaron Bauman from comment #4)
> Hans, git push?
Stable on alpha.
amd64 tested, ok
(In reply to Christopher Díaz from comment #10)
> amd64 tested, ok
This security bug is superseded by bug 631034
Please complete stabilization of =dev-ruby/json-1.8.6-r1 here, and please go to Depends bug for the Ruby!
Last arch is done here.
@x86 please test and mark stable dev-ruby/json-1.8.6-r1
This issue was resolved and addressed in
GLSA 201710-18 at https://security.gentoo.org/glsa/201710-18
by GLSA coordinator Aaron Bauman (b-man).