Debian Bug report logs -
#700436
Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]
Reported by: Ondřej Surý <ondrej@debian.org>
Date: Tue, 12 Feb 2013 16:57:01 UTC
Severity: critical
Tags: patch, security
Fixed in version ruby-json/1.7.3-3
Done: Cédric Boutillier <cedric.boutillier@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#700436
; Package ruby-json
.
(Tue, 12 Feb 2013 16:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
Your message had a Version: pseudo-header with an invalid package
version:
1.7.3-2,1.6.1-1~bpo60+1
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Tue, 12 Feb 2013 16:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby-json
Version: 1.7.3-2,1.6.1-1~bpo60+1
Severity: critical
Tags: security patch
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
Denial of Service and Unsafe Object Creation Vulnerability in JSON
There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269.
Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX.
Not affected: NONE
Fixed Versions: 1.7.7, 1.6.8, 1.5.5
Impact
------
When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.
The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.
Impacted code looks like this:
JSON.parse(user_input)
Where the `user_input` variable will have a JSON document like this:
{"json_class":"foo"}
The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol.
In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this:
{"json_class":"JSON::GenericObject","foo":"bar"}
This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures.
PLEASE NOTE: this behavior *does not change* when using `JSON.load`. `JSON.load` should *never* be given input from unknown sources. If you are processing JSON from an unknown source, *always* use `JSON.parse`.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
For users that cannot upgrade, please use the attached patches. If you cannot use the attached patches, change your code from this:
JSON.parse(json)
To this:
JSON.parse(json, :create_additions => false)
If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch:
module JSON
class << self
alias :old_parse :parse
def parse(json, args = {})
args[:create_additions] = false
old_parse(json, args)
end
end
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the three supported release series. They are in git-am format and consist of a single changeset.
* 1-7-VULN.patch - Patch for the 1.7 series
* 1-6-VULN.patch - Patch for the 1.6 series
* 1-5-VULN.patch - Patch for the 1.5 series
Credits
-------
A huge thanks goes to the following people for responsibly disclosing this issue and working with the Rails team to get it fixed:
* Thomas Hollstegge of Zweitag (www.zweitag.de)
* Ben Murphy
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Cédric Boutillier <cedric.boutillier@gmail.com>
:
You have taken responsibility.
(Tue, 12 Feb 2013 23:36:08 GMT) (full text, mbox, link).
Notification sent
to Ondřej Surý <ondrej@debian.org>
:
Bug acknowledged by developer.
(Tue, 12 Feb 2013 23:36:08 GMT) (full text, mbox, link).
Message #10 received at 700436-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-json
Source-Version: 1.7.3-3
We believe that the bug you reported is fixed in the latest version of
ruby-json, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cédric Boutillier <cedric.boutillier@gmail.com> (supplier of updated ruby-json package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Feb 2013 23:14:48 +0100
Source: ruby-json
Binary: ruby-json libjson-ruby libjson-ruby-doc libjson-ruby1.8
Architecture: source amd64 all
Version: 1.7.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Cédric Boutillier <cedric.boutillier@gmail.com>
Description:
libjson-ruby - Transitional package for ruby-json
libjson-ruby-doc - Transitional package for ruby-json
libjson-ruby1.8 - Transitional package for ruby-json
ruby-json - JSON library for Ruby
Closes: 700436
Changes:
ruby-json (1.7.3-3) unstable; urgency=high
.
* set urgency to high, as a security bug is fixed.
* Add 10-fix-CVE-2013-0269.patch, adapted from upstream to fix denial of
service and unsafe object creation vulnerability.
[CVE-2013-0269] (Closes: #700436).
Checksums-Sha1:
dd799d3fd0843bd48936dba2bd794dec64ab14bf 2266 ruby-json_1.7.3-3.dsc
ed67a0385da8cceeeb24cd70238184c7e1973d43 10245 ruby-json_1.7.3-3.debian.tar.gz
5ee24aedc28eaa06a90a984e0bd32efe80331124 78486 ruby-json_1.7.3-3_amd64.deb
39032af8cb69363f54417cd2b84318ed68102d1d 11706 libjson-ruby_1.7.3-3_all.deb
6827b095f4905f53e41fed9214a717fbfff40f0d 11708 libjson-ruby-doc_1.7.3-3_all.deb
f01b46762b06f40c8c11cd8a6f176f51c5cf0695 11708 libjson-ruby1.8_1.7.3-3_all.deb
Checksums-Sha256:
5b202600b372e935314e0ef7eba0fc5cd40f73d265a66b951e1777180223a805 2266 ruby-json_1.7.3-3.dsc
0233cfc6a598aee18b35b0ed1f3300a323f25e2cef32ce695f63d698d4b748b5 10245 ruby-json_1.7.3-3.debian.tar.gz
a86dd62a50b10c46ffde36b2acd5c44bd11e3c33bffd9ab4c85b544c3f7e6b16 78486 ruby-json_1.7.3-3_amd64.deb
decf985dc069c88280280328024b3332f538aed11315b5e34970842ebfec67b4 11706 libjson-ruby_1.7.3-3_all.deb
5ca211ab7e73cda8781ed4c340eef1349501ae40358acd032eda31ba602a4d83 11708 libjson-ruby-doc_1.7.3-3_all.deb
cc0ccab5b82aa1530431eac48ee4321295e190cec570538615b661c45311d087 11708 libjson-ruby1.8_1.7.3-3_all.deb
Files:
e2dda58af9c4022e4fdd77d1f4236cf9 2266 ruby optional ruby-json_1.7.3-3.dsc
b6d781a3384ff1845c0d710d6d91be36 10245 ruby optional ruby-json_1.7.3-3.debian.tar.gz
fe65c442f860add7ba2dc2b940a82268 78486 ruby optional ruby-json_1.7.3-3_amd64.deb
2040718ab88d402219fd004be94ebda6 11706 oldlibs extra libjson-ruby_1.7.3-3_all.deb
306a554141d88e0fbf4b16fe67b92b21 11708 oldlibs extra libjson-ruby-doc_1.7.3-3_all.deb
cad8310c7437cf347ead8872fa2b373d 11708 oldlibs extra libjson-ruby1.8_1.7.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRGsyJAAoJENpJWPYR4UnpfvkP/01/zDlIsZCb81WleZo2FD8I
d0j/g3MZ/Sic0Cjq6OwSWSnosVI6CdCLlHKGGy0ansM2ElZuik84ebV6m8r7rTb+
/z1ZEi7RLcqVVzJrrSRLv7JmpeW1DWSWYH1kqNXfbZH3kgQ1//ijPB7/trmva2eN
Au4dbMWcHc/jJC9M6zrJZq72Sxvx8hUr0or3m1pXZh+f8qAQH85Tyw6YIQyU4u5k
/dlzs9TwYZRmGz08gSu07NDuD91QV7Fa1Xa2ilFVVu4+hS6mpZCM2JhtHzW7nG9Y
ht59ltHzIWi39PHFs9VBUAb6iLeY3EDmoJfxGk/b9nvOOOIW1IjdEsWSXzpsmG+z
Y6b3TPlgw5K9xNleq24j9NSM2FANvxdeSFRtV0A2ZG2f6llXWF9RtBbwpN2KsBTC
cbTX1VN4Lwsj/0in2feArvPNu+13ApOqKN1vlXdVT+FH9BaaIDxLmlq5T3FA5oZ2
y7mozAbrbxMhGbvGlN/0ZbL6nhZbwLdOn0DPIoSqiE3e/cpNLQG705dpysa5IrLG
GjSNK/cwUg+thN9xKCGr8L2rvHHgc1mOMACbyalUAi7HXC4F8lgAw9/rdt9wJ9Qp
sSPMbtB9ETC43pc8nt69DBLaSFMvoKl8Ui02nKPFq9ro0ZY4vJ2Ng2Wzi3C017Ye
b1nxmxacvtcI/HWo9lg5
=TwSv
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#700436
; Package ruby-json
.
(Tue, 12 Feb 2013 23:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Cédric Boutillier <cedric.boutillier@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Tue, 12 Feb 2013 23:51:03 GMT) (full text, mbox, link).
Message #15 received at 700436@bugs.debian.org (full text, mbox, reply):
Control: clone -1 -2
Control: reassign -2 ruby1.9.1
Hi!
Reading the description given in
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
I notice that the bug is affecting the version of JSON distributed with
ruby1.9.1. I am therefore duplicating this bug accordingly.
Cheers,
Cédric
Bug 700436 cloned as bug 700471
Request was from Cédric Boutillier <cedric.boutillier@gmail.com>
to 700436-submit@bugs.debian.org
.
(Tue, 12 Feb 2013 23:51:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 16 Mar 2013 07:27:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:30:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.