There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem.
When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.
Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
JSON gem 2.2.0 or prior
The fixed version has been in the tree for some time and can be marked stable right away.
That depends marker might keep arch teams away from actioning this one; I suggest to handle this differently until all arches are done here.
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
(In reply to Mart Raudsepp from comment #2)
> That depends marker might keep arch teams away from actioning this one; I
> suggest to handle this differently until all arches are done here.
To be clear, bug 713480 blocks cleanup, not stabilisation, so removing the blocker for now, so that tools pick it up, etc.
I will add it back later.
Maintainer(s), please cleanup.
Security, please vote.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No
@ruby, please clean when you can.
Dep is fixed, anything else blocking cleanup?
dev-ruby/json:0 is now masked for removal.
The bug has been referenced in the following commit(s):
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: 2020-09-14 17:19:35 +0000
Commit: Michał Górny <email@example.com>
CommitDate: 2020-09-14 17:23:44 +0000
dev-ruby/json: Remove masked slot :0
Signed-off-by: Michał Górny <firstname.lastname@example.org>
dev-ruby/json/Manifest | 1 -
dev-ruby/json/files/json-1.8.6-heap-exposure.patch | 82 ----------------------
dev-ruby/json/json-1.8.6-r1.ebuild | 70 ------------------
profiles/package.mask | 5 --
4 files changed, 158 deletions(-)
Tree is clean. No GLSA. All done, thanks everyone.