Related Vulnerabilities: CVE-2017-16516

Source

Debian Bug report logs - #880691
ruby-yajl: CVE-2017-16516

Package: src:ruby-yajl; Maintainer for src:ruby-yajl is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 3 Nov 2017 21:24:01 UTC

Severity: important

Tags: patch, security, upstream

Found in version ruby-yajl/1.2.0-2

Fixed in version ruby-yajl/1.2.0-3.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/brianmario/yajl-ruby/issues/176

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#880691; Package src:ruby-yajl. (Fri, 03 Nov 2017 21:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 03 Nov 2017 21:24:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: ruby-yajl
Version: 1.2.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/brianmario/yajl-ruby/issues/176

Hi,

the following vulnerability was published for ruby-yajl.

CVE-2017-16516[0]:
| In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
| supplied to Yajl::Parser.new.parse, the whole ruby process crashes with
| a SIGABRT in the yajl_string_decode function in yajl_encode.c. This
| results in the whole ruby process terminating and potentially a denial
| of service.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16516
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16516
[1] https://github.com/brianmario/yajl-ruby/issues/176

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#880691; Package src:ruby-yajl. (Wed, 08 Nov 2017 06:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 08 Nov 2017 06:45:05 GMT) (full text, mbox, link).

Message #10 received at 880691@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags 880691 + patch
Control: tags 880691 + pending

Dear maintainer,

I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[ruby-yajl-1.2.0-3.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 880691-submit@bugs.debian.org. (Wed, 08 Nov 2017 06:45:06 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 880691-submit@bugs.debian.org. (Wed, 08 Nov 2017 06:45:06 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 08 Nov 2017 10:51:06 GMT) (full text, mbox, link).

Message #19 received at 880691@bugs.debian.org (full text, mbox, reply):

* Salvatore Bonaccorso <carnil@debian.org> [171108 07:45]:
> Dear maintainer,
> 
> I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

LGTM, feel free to reschedule to 0?

Thanks,
C.

Message #24 received at 880691@bugs.debian.org (full text, mbox, reply):

Hi Chris!

On Wed, Nov 08, 2017 at 11:37:07AM +0100, Chris Hofstaedtler wrote:
> * Salvatore Bonaccorso <carnil@debian.org> [171108 07:45]:
> > Dear maintainer,
> > 
> > I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> LGTM, feel free to reschedule to 0?

Thanks a lot, done!

Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 08 Nov 2017 13:57:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 08 Nov 2017 13:57:05 GMT) (full text, mbox, link).

Message #29 received at 880691-close@bugs.debian.org (full text, mbox, reply):

Source: ruby-yajl
Source-Version: 1.2.0-3.1

We believe that the bug you reported is fixed in the latest version of
ruby-yajl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-yajl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 08 Nov 2017 07:31:37 +0100
Source: ruby-yajl
Binary: ruby-yajl
Architecture: source
Version: 1.2.0-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 880691
Description: 
 ruby-yajl  - Ruby interface to Yajl, a JSON stream-based parser library
Changes:
 ruby-yajl (1.2.0-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2017-16516: Crafted JSON file allows to crash ruby process with a
     SIGABRT in the yajl_string_decode function (Closes: #880691)
Checksums-Sha1: 
 7aba26f825c8ad16728d4b79f72b3cc0885c4e31 2316 ruby-yajl_1.2.0-3.1.dsc
 4c3154e35aa82e0143194047d83190f79167f35c 6048 ruby-yajl_1.2.0-3.1.debian.tar.xz
 2339a8cdb8ad028a3bae8db1a56d7c54ed1fd0cb 5920 ruby-yajl_1.2.0-3.1_source.buildinfo
Checksums-Sha256: 
 1b7deee6177ebdccdf8fe6c4d075be44dc9679ca0f43851acece9b6940811d29 2316 ruby-yajl_1.2.0-3.1.dsc
 e47d1bca00facfb09e214d803bde385357ca1b46712b44b98a30cf329e4877f3 6048 ruby-yajl_1.2.0-3.1.debian.tar.xz
 c62ba380bd3a786266893c0032d4a7c198f524b8d94e6740116f519e116ff9cf 5920 ruby-yajl_1.2.0-3.1_source.buildinfo
Files: 
 b77ddbe13a375c5eebbb207628e63ed7 2316 ruby optional ruby-yajl_1.2.0-3.1.dsc
 f41ded7b1f374fce0227e8f5dad05c70 6048 ruby optional ruby-yajl_1.2.0-3.1.debian.tar.xz
 1130f4551e43a73c19a1c1a1f2f9499e 5920 ruby optional ruby-yajl_1.2.0-3.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloCpxpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbVgP/RZ5jpDvRhPBULOS41ftzIgRXrRahPfl
LXCUFU4UALgk7GxsiCgv7hzaWTl6C2R5KSW0WpTps0+wF/rLuJR4a1ww/+A4ZMD+
xXORW2pn5v6eQ4K0e/J2CVIndm/cuBNlgoUoqL+ehUKKmclL6e+Wf4evYQdCxhxA
xS5wSbRS+KVeY9EsqBk+/iU3dbmqKGc6Sd4Ufqoj2fxeY9ECPMmn2v1pNV/Oj8YZ
azrlo4pAI/IcVnrksPDqGyXg+2LPt2oBJsNDMjrZ0/O+gz6mAh561vRoVRxXewNa
sh/P717SRKp3UxfGAEGjh40SPX1M9bQ3cfXaJ2qXufDsjNt/wWd9g8oIAvMP5SAF
zbpVWR6l4Ufa/DEuQDSNhGYjNVxbRbZIqGwuYA2nXz6/9Y05oaV9ui1rwU4puBD4
BHDS4V6KG7w7fo9pcDPHB9iwehWMuCZ/Idx5xuE9qbXzqes2GuJ9JnwJYD7yzwNn
gNC3UWUJU/QbUxHaUedTawhvFamPTmtj0Ai82kHXQEVZZ0qN3wCQo+N2WAIpWM8j
C2GPk1S6yGJERsgKmiv0Sqw3PpbU9fYE243yF8boyf+7jhkkUo3yVkliKDhUYcVP
2gJVYjbfUjjSUxJcacdtdgr/4JPik64tg/AdBrauu82L5RstjiDaBio7GnFFJHLH
FWj4kIE/dPzc
=bqYs
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Dec 2017 07:30:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:08:20 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

ruby-yajl: CVE-2017-16516

Debian Bug report logs - #880691
ruby-yajl: CVE-2017-16516

Vulmon Search

About

Products

Connect

ruby-yajl: CVE-2017-16516

Debian Bug report logs - #880691 ruby-yajl: CVE-2017-16516

Vulmon Search

About

Products

Connect

Debian Bug report logs - #880691
ruby-yajl: CVE-2017-16516