Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]

Debian Bug report logs - #700436
Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]

Date: Tue, 12 Feb 2013 17:54:52 +0100

Package: ruby-json
Version: 1.7.3-2,1.6.1-1~bpo60+1
Severity: critical
Tags: security patch

https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58

Denial of Service and Unsafe Object Creation Vulnerability in JSON 

There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269. 

Versions Affected:  All. This includes JSON that ships with Ruby 1.9.X-pXXX. 
Not affected:       NONE 
Fixed Versions:     1.7.7, 1.6.8, 1.5.5 

Impact 
------ 
When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system.  Since Ruby symbols are not garbage collected, this can result in a denial of service attack. 

The same technique can be used to create objects in a target system that act like internal objects.  These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. 

Impacted code looks like this: 

    JSON.parse(user_input) 

Where the `user_input` variable will have a JSON document like this: 

    {"json_class":"foo"} 

The JSON gem will attempt to look up the constant "foo".  Looking up this constant will create a symbol. 

In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this: 

    {"json_class":"JSON::GenericObject","foo":"bar"} 

This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar".  Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures. 

PLEASE NOTE: this behavior *does not change* when using `JSON.load`.  `JSON.load` should *never* be given input from unknown sources.  If you are processing JSON from an unknown source, *always* use `JSON.parse`. 

All users running an affected release should either upgrade or use one of the work arounds immediately. 

Releases 
-------- 
The FIXED releases are available at the normal locations. 

Workarounds 
----------- 
For users that cannot upgrade, please use the attached patches.  If you cannot use the attached patches, change your code from this: 

    JSON.parse(json) 

To this: 

    JSON.parse(json, :create_additions => false) 

If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch: 

    module JSON 
      class << self 
        alias :old_parse :parse 
        def parse(json, args = {}) 
          args[:create_additions] = false 
          old_parse(json, args) 
        end 
      end 
    end 

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the three supported release series.  They are in git-am format and consist of a single changeset. 

* 1-7-VULN.patch - Patch for the 1.7 series 
* 1-6-VULN.patch - Patch for the 1.6 series 
* 1-5-VULN.patch - Patch for the 1.5 series 

Credits 
------- 
A huge thanks goes to the following people for responsibly disclosing this issue and working with the Rails team to get it fixed: 

* Thomas Hollstegge of Zweitag (www.zweitag.de) 
* Ben Murphy 


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 700436-close@bugs.debian.org (full text, mbox, reply):

From: Cédric Boutillier <cedric.boutillier@gmail.com>

To: 700436-close@bugs.debian.org

Subject: Bug#700436: fixed in ruby-json 1.7.3-3

Date: Tue, 12 Feb 2013 23:33:34 +0000

Source: ruby-json
Source-Version: 1.7.3-3

We believe that the bug you reported is fixed in the latest version of
ruby-json, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier <cedric.boutillier@gmail.com> (supplier of updated ruby-json package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Feb 2013 23:14:48 +0100
Source: ruby-json
Binary: ruby-json libjson-ruby libjson-ruby-doc libjson-ruby1.8
Architecture: source amd64 all
Version: 1.7.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Cédric Boutillier <cedric.boutillier@gmail.com>
Description: 
 libjson-ruby - Transitional package for ruby-json
 libjson-ruby-doc - Transitional package for ruby-json
 libjson-ruby1.8 - Transitional package for ruby-json
 ruby-json  - JSON library for Ruby
Closes: 700436
Changes: 
 ruby-json (1.7.3-3) unstable; urgency=high
 .
   * set urgency to high, as a security bug is fixed.
   * Add 10-fix-CVE-2013-0269.patch, adapted from upstream to fix denial of
     service and unsafe object creation vulnerability.
     [CVE-2013-0269] (Closes: #700436).
Checksums-Sha1: 
 dd799d3fd0843bd48936dba2bd794dec64ab14bf 2266 ruby-json_1.7.3-3.dsc
 ed67a0385da8cceeeb24cd70238184c7e1973d43 10245 ruby-json_1.7.3-3.debian.tar.gz
 5ee24aedc28eaa06a90a984e0bd32efe80331124 78486 ruby-json_1.7.3-3_amd64.deb
 39032af8cb69363f54417cd2b84318ed68102d1d 11706 libjson-ruby_1.7.3-3_all.deb
 6827b095f4905f53e41fed9214a717fbfff40f0d 11708 libjson-ruby-doc_1.7.3-3_all.deb
 f01b46762b06f40c8c11cd8a6f176f51c5cf0695 11708 libjson-ruby1.8_1.7.3-3_all.deb
Checksums-Sha256: 
 5b202600b372e935314e0ef7eba0fc5cd40f73d265a66b951e1777180223a805 2266 ruby-json_1.7.3-3.dsc
 0233cfc6a598aee18b35b0ed1f3300a323f25e2cef32ce695f63d698d4b748b5 10245 ruby-json_1.7.3-3.debian.tar.gz
 a86dd62a50b10c46ffde36b2acd5c44bd11e3c33bffd9ab4c85b544c3f7e6b16 78486 ruby-json_1.7.3-3_amd64.deb
 decf985dc069c88280280328024b3332f538aed11315b5e34970842ebfec67b4 11706 libjson-ruby_1.7.3-3_all.deb
 5ca211ab7e73cda8781ed4c340eef1349501ae40358acd032eda31ba602a4d83 11708 libjson-ruby-doc_1.7.3-3_all.deb
 cc0ccab5b82aa1530431eac48ee4321295e190cec570538615b661c45311d087 11708 libjson-ruby1.8_1.7.3-3_all.deb
Files: 
 e2dda58af9c4022e4fdd77d1f4236cf9 2266 ruby optional ruby-json_1.7.3-3.dsc
 b6d781a3384ff1845c0d710d6d91be36 10245 ruby optional ruby-json_1.7.3-3.debian.tar.gz
 fe65c442f860add7ba2dc2b940a82268 78486 ruby optional ruby-json_1.7.3-3_amd64.deb
 2040718ab88d402219fd004be94ebda6 11706 oldlibs extra libjson-ruby_1.7.3-3_all.deb
 306a554141d88e0fbf4b16fe67b92b21 11708 oldlibs extra libjson-ruby-doc_1.7.3-3_all.deb
 cad8310c7437cf347ead8872fa2b373d 11708 oldlibs extra libjson-ruby1.8_1.7.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRGsyJAAoJENpJWPYR4UnpfvkP/01/zDlIsZCb81WleZo2FD8I
d0j/g3MZ/Sic0Cjq6OwSWSnosVI6CdCLlHKGGy0ansM2ElZuik84ebV6m8r7rTb+
/z1ZEi7RLcqVVzJrrSRLv7JmpeW1DWSWYH1kqNXfbZH3kgQ1//ijPB7/trmva2eN
Au4dbMWcHc/jJC9M6zrJZq72Sxvx8hUr0or3m1pXZh+f8qAQH85Tyw6YIQyU4u5k
/dlzs9TwYZRmGz08gSu07NDuD91QV7Fa1Xa2ilFVVu4+hS6mpZCM2JhtHzW7nG9Y
ht59ltHzIWi39PHFs9VBUAb6iLeY3EDmoJfxGk/b9nvOOOIW1IjdEsWSXzpsmG+z
Y6b3TPlgw5K9xNleq24j9NSM2FANvxdeSFRtV0A2ZG2f6llXWF9RtBbwpN2KsBTC
cbTX1VN4Lwsj/0in2feArvPNu+13ApOqKN1vlXdVT+FH9BaaIDxLmlq5T3FA5oZ2
y7mozAbrbxMhGbvGlN/0ZbL6nhZbwLdOn0DPIoSqiE3e/cpNLQG705dpysa5IrLG
GjSNK/cwUg+thN9xKCGr8L2rvHHgc1mOMACbyalUAi7HXC4F8lgAw9/rdt9wJ9Qp
sSPMbtB9ETC43pc8nt69DBLaSFMvoKl8Ui02nKPFq9ro0ZY4vJ2Ng2Wzi3C017Ye
b1nxmxacvtcI/HWo9lg5
=TwSv
-----END PGP SIGNATURE-----

Message #15 received at 700436@bugs.debian.org (full text, mbox, reply):

From: Cédric Boutillier <cedric.boutillier@gmail.com>

To: 700436@bugs.debian.org

Subject: This bug affects also Ruby1.9

Date: Wed, 13 Feb 2013 00:48:50 +0100

Control: clone -1 -2
Control: reassign -2 ruby1.9.1

Hi!

Reading the description given in
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
I notice that the bug is affecting the version of JSON distributed with
ruby1.9.1. I am therefore duplicating this bug accordingly.

Cheers,

Cédric

Send a report that this bug log contains spam.