Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713478 (CVE-2020-10663) - <dev-ruby/json-2.3.0: Unsafe Object Creation Vulnerability in JSON (CVE-2020-10663)
Summary: <dev-ruby/json-2.3.0: Unsafe Object Creation Vulnerability in JSON (CVE-2020-...
Status: RESOLVED FIXED
Alias: CVE-2020-10663
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 713480
Blocks:
  Show dependency tree
 
Reported: 2020-03-19 14:54 UTC by Hans de Graaff
Modified: 2020-09-15 17:11 UTC (History)
3 users (show)

See Also:
Package list:
dev-ruby/json-2.3.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2020-03-19 14:54:55 UTC
There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem.
Details

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
Affected versions

    JSON gem 2.2.0 or prior
Comment 1 Hans de Graaff gentoo-dev 2020-03-19 14:57:26 UTC
The fixed version has been in the tree for some time and can be marked stable right away.
Comment 2 Mart Raudsepp gentoo-dev 2020-03-20 09:57:40 UTC
That depends marker might keep arch teams away from actioning this one; I suggest to handle this differently until all arches are done here.
Comment 3 Rolf Eike Beer 2020-03-23 21:20:47 UTC
hppa stable
Comment 4 Rolf Eike Beer 2020-03-23 21:22:52 UTC
sparc stable
Comment 5 Mart Raudsepp gentoo-dev 2020-03-29 08:54:15 UTC
arm64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2020-03-29 09:45:31 UTC
ppc/ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-31 12:36:25 UTC
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
Comment 8 Sam James archtester gentoo-dev Security 2020-04-02 04:26:51 UTC
(In reply to Mart Raudsepp from comment #2)
> That depends marker might keep arch teams away from actioning this one; I
> suggest to handle this differently until all arches are done here.

I agree.

To be clear, bug 713480 blocks cleanup, not stabilisation, so removing the blocker for now, so that tools pick it up, etc.

I will add it back later.
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-03 12:05:15 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-03 12:06:37 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-03 12:13:58 UTC
s390 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-04-03 13:12:37 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 NATTkA bot gentoo-dev 2020-04-06 11:21:06 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:52:07 UTC
GLSA Vote: No

@ruby, please clean when you can.
Comment 15 John Helmert III (ajak) 2020-08-07 04:17:14 UTC
Dep is fixed, anything else blocking cleanup?
Comment 16 Hans de Graaff gentoo-dev 2020-08-07 04:44:04 UTC
dev-ruby/json:0 is now masked for removal.
Comment 17 Larry the Git Cow gentoo-dev 2020-09-14 17:23:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37a7617bdc64e6e7f57180f9a6241d2f63115ca5

commit 37a7617bdc64e6e7f57180f9a6241d2f63115ca5
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-14 17:19:35 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-14 17:23:44 +0000

    dev-ruby/json: Remove masked slot :0
    
    Bug: https://bugs.gentoo.org/713478
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-ruby/json/Manifest                             |  1 -
 dev-ruby/json/files/json-1.8.6-heap-exposure.patch | 82 ----------------------
 dev-ruby/json/json-1.8.6-r1.ebuild                 | 70 ------------------
 profiles/package.mask                              |  5 --
 4 files changed, 158 deletions(-)
Comment 18 John Helmert III (ajak) 2020-09-15 17:11:14 UTC
Tree is clean. No GLSA. All done, thanks everyone.