There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem. Details When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil). See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code. Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile. Affected versions JSON gem 2.2.0 or prior
The fixed version has been in the tree for some time and can be marked stable right away.
That depends marker might keep arch teams away from actioning this one; I suggest to handle this differently until all arches are done here.
hppa stable
sparc stable
arm64 stable
ppc/ppc64 stable
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
(In reply to Mart Raudsepp from comment #2) > That depends marker might keep arch teams away from actioning this one; I > suggest to handle this differently until all arches are done here. I agree. To be clear, bug 713480 blocks cleanup, not stabilisation, so removing the blocker for now, so that tools pick it up, etc. I will add it back later.
amd64 stable
arm stable
s390 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No @ruby, please clean when you can.
Dep is fixed, anything else blocking cleanup?
dev-ruby/json:0 is now masked for removal.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37a7617bdc64e6e7f57180f9a6241d2f63115ca5 commit 37a7617bdc64e6e7f57180f9a6241d2f63115ca5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-09-14 17:19:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-09-14 17:23:44 +0000 dev-ruby/json: Remove masked slot :0 Bug: https://bugs.gentoo.org/713478 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-ruby/json/Manifest | 1 - dev-ruby/json/files/json-1.8.6-heap-exposure.patch | 82 ---------------------- dev-ruby/json/json-1.8.6-r1.ebuild | 70 ------------------ profiles/package.mask | 5 -- 4 files changed, 158 deletions(-)
Tree is clean. No GLSA. All done, thanks everyone.