[DRE-commits] [SCM] ruby-json.git branch, master, updated. debian/1.7.3-2-1-g742367c
Cédric Boutillier
boutil at debian.org
Tue Feb 12 23:13:56 UTC 2013
The following commit has been merged in the master branch:
commit 742367ced736a24a73e9847c302535b3a8606faf
Author: Cédric Boutillier <boutil at debian.org>
Date: Wed Feb 13 00:05:15 2013 +0100
import upstream patch to fix CVE-2013-0269 / #700436
diff --git a/debian/changelog b/debian/changelog
index b7521e8..ce112d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-json (1.7.3-3) unstable; urgency=high
+
+ * set urgency to high, as a security bug is fixed.
+ * Add 10-fix-CVE-2013-0269.patch, adapted from upstream to fix denial of
+ service and unsafe object creation vulnerability.
+ [CVE-2013-0269] (Closes: #700436).
+
+ -- Cédric Boutillier <cedric.boutillier at gmail.com> Tue, 12 Feb 2013 23:14:48 +0100
+
ruby-json (1.7.3-2) unstable; urgency=low
* Bump build dependency on gem2deb to >= 0.3.0~
diff --git a/debian/patches/10-fix-CVE-2013-0269.patch b/debian/patches/10-fix-CVE-2013-0269.patch
new file mode 100644
index 0000000..99510f0
--- /dev/null
+++ b/debian/patches/10-fix-CVE-2013-0269.patch
@@ -0,0 +1,352 @@
+From a26f7e96b52efe0be508e223cd31f97ed04099ea Mon Sep 17 00:00:00 2001
+Description: Security fix create_additons/JSON::GenericObject (CVE-2013-0269)
+ See announcement by the Rails team:
+ https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
+From: Florian Frank <flori at ping.de>
+Reviewed-by: Cédric Boutillier <boutil at debian.org>
+Origin: https://github.com/flori/json/commit/d0a62f3ced7560daba2ad546d83f0479a5ae2cf2
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700436
+Last-Update: 2013-02-12
+
+
+--- a/ext/json/ext/parser/parser.c
++++ b/ext/json/ext/parser/parser.c
+@@ -1680,7 +1680,7 @@
+ if (option_given_p(opts, tmp)) {
+ json->create_additions = RTEST(rb_hash_aref(opts, tmp));
+ } else {
+- json->create_additions = 1;
++ json->create_additions = 0;
+ }
+ tmp = ID2SYM(i_create_id);
+ if (option_given_p(opts, tmp)) {
+--- a/ext/json/ext/parser/parser.rl
++++ b/ext/json/ext/parser/parser.rl
+@@ -664,7 +664,7 @@
+ if (option_given_p(opts, tmp)) {
+ json->create_additions = RTEST(rb_hash_aref(opts, tmp));
+ } else {
+- json->create_additions = 1;
++ json->create_additions = 0;
+ }
+ tmp = ID2SYM(i_create_id);
+ if (option_given_p(opts, tmp)) {
+--- a/java/src/json/ext/Parser.java
++++ b/java/src/json/ext/Parser.java
+@@ -166,7 +166,7 @@
+ this.symbolizeNames = opts.getBool("symbolize_names", false);
+ this.quirksMode = opts.getBool("quirks_mode", false);
+ this.createId = opts.getString("create_id", getCreateId(context));
+- this.createAdditions = opts.getBool("create_additions", true);
++ this.createAdditions = opts.getBool("create_additions", false);
+ this.objectClass = opts.getClass("object_class", runtime.getHash());
+ this.arrayClass = opts.getClass("array_class", runtime.getArray());
+ this.match_string = opts.getHash("match_string");
+--- a/java/src/json/ext/Parser.rl
++++ b/java/src/json/ext/Parser.rl
+@@ -164,7 +164,7 @@
+ this.symbolizeNames = opts.getBool("symbolize_names", false);
+ this.quirksMode = opts.getBool("quirks_mode", false);
+ this.createId = opts.getString("create_id", getCreateId(context));
+- this.createAdditions = opts.getBool("create_additions", true);
++ this.createAdditions = opts.getBool("create_additions", false);
+ this.objectClass = opts.getClass("object_class", runtime.getHash());
+ this.arrayClass = opts.getClass("array_class", runtime.getArray());
+ this.match_string = opts.getHash("match_string");
+--- a/lib/json/common.rb
++++ b/lib/json/common.rb
+@@ -299,21 +299,28 @@
+ attr_accessor :load_default_options
+ end
+ self.load_default_options = {
+- :max_nesting => false,
+- :allow_nan => true,
+- :quirks_mode => true,
++ :max_nesting => false,
++ :allow_nan => true,
++ :quirks_mode => true,
++ :create_additions => true,
+ }
+
+ # Load a ruby data structure from a JSON _source_ and return it. A source can
+ # either be a string-like object, an IO-like object, or an object responding
+ # to the read method. If _proc_ was given, it will be called with any nested
+- # Ruby object as an argument recursively in depth first order. The default
+- # options for the parser can be changed via the load_default_options method.
++ # Ruby object as an argument recursively in depth first order. To modify the
++ # default options pass in the optional _options_ argument as well.
++ #
++ # BEWARE: This method is meant to serialise data from trusted user input,
++ # like from your own database server or clients under your control, it could
++ # be dangerous to allow untrusted users to pass JSON sources into it. The
++ # default options for the parser can be changed via the load_default_options
++ # method.
+ #
+ # This method is part of the implementation of the load/dump interface of
+ # Marshal and YAML.
+- def load(source, proc = nil)
+- opts = load_default_options
++ def load(source, proc = nil, options = {})
++ opts = load_default_options.merge options
+ if source.respond_to? :to_str
+ source = source.to_str
+ elsif source.respond_to? :to_io
+--- a/lib/json/generic_object.rb
++++ b/lib/json/generic_object.rb
+@@ -5,12 +5,19 @@
+ class << self
+ alias [] new
+
++ def json_creatable?
++ @json_creatable
++ end
++
++ attr_writer :json_creatable
++
+ def json_create(data)
+ data = data.dup
+ data.delete JSON.create_id
+ self[data]
+ end
+ end
++ self.json_creatable = false
+
+ def to_hash
+ table
+--- a/lib/json/pure/parser.rb
++++ b/lib/json/pure/parser.rb
+@@ -63,9 +63,9 @@
+ # * *symbolize_names*: If set to true, returns symbols for the names
+ # (keys) in a JSON object. Otherwise strings are returned, which is also
+ # the default.
+- # * *create_additions*: If set to false, the Parser doesn't create
+- # additions even if a matchin class and create_id was found. This option
+- # defaults to true.
++ # * *create_additions*: If set to true, the Parser creates
++ # additions when if a matching class and create_id was found. This
++ # option defaults to false.
+ # * *object_class*: Defaults to Hash
+ # * *array_class*: Defaults to Array
+ # * *quirks_mode*: Enables quirks_mode for parser, that is for example
+@@ -88,7 +88,7 @@
+ if opts.key?(:create_additions)
+ @create_additions = !!opts[:create_additions]
+ else
+- @create_additions = true
++ @create_additions = false
+ end
+ @create_id = @create_additions ? JSON.create_id : nil
+ @object_class = opts[:object_class] || Hash
+--- a/tests/test_json.rb
++++ b/tests/test_json.rb
+@@ -329,12 +329,12 @@
+ def test_generate_core_subclasses_with_new_to_json
+ obj = SubHash2["foo" => SubHash2["bar" => true]]
+ obj_json = JSON(obj)
+- obj_again = JSON(obj_json)
++ obj_again = JSON.parse(obj_json, :create_additions => true)
+ assert_kind_of SubHash2, obj_again
+ assert_kind_of SubHash2, obj_again['foo']
+ assert obj_again['foo']['bar']
+ assert_equal obj, obj_again
+- assert_equal ["foo"], JSON(JSON(SubArray2["foo"]))
++ assert_equal ["foo"], JSON(JSON(SubArray2["foo"]), :create_additions => true)
+ end
+
+ def test_generate_core_subclasses_with_default_to_json
+@@ -493,6 +493,12 @@
+ assert_equal nil, JSON.load('')
+ end
+
++ def test_load_with_options
++ small_hash = JSON("foo" => 'bar')
++ symbol_hash = { :foo => 'bar' }
++ assert_equal symbol_hash, JSON.load(small_hash, nil, :symbolize_names => true)
++ end
++
+ def test_dump
+ too_deep = '[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]'
+ assert_equal too_deep, JSON.dump(eval(too_deep))
+--- a/tests/test_json_addition.rb
++++ b/tests/test_json_addition.rb
+@@ -73,11 +73,19 @@
+ a = A.new(666)
+ assert A.json_creatable?
+ json = generate(a)
+- a_again = JSON.parse(json)
++ a_again = JSON.parse(json, :create_additions => true)
+ assert_kind_of a.class, a_again
+ assert_equal a, a_again
+ end
+
++ def test_extended_json_default
++ a = A.new(666)
++ assert A.json_creatable?
++ json = generate(a)
++ a_hash = JSON.parse(json)
++ assert_kind_of Hash, a_hash
++ end
++
+ def test_extended_json_disabled
+ a = A.new(666)
+ assert A.json_creatable?
+@@ -104,7 +112,7 @@
+ c = C.new
+ assert !C.json_creatable?
+ json = generate(c)
+- assert_raises(ArgumentError, NameError) { JSON.parse(json) }
++ assert_raises(ArgumentError, NameError) { JSON.parse(json, :create_additions => true) }
+ end
+
+ def test_raw_strings
+@@ -122,7 +130,7 @@
+ assert_match(/\A\{.*\}\Z/, json)
+ assert_match(/"json_class":"String"/, json)
+ assert_match(/"raw":\[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255\]/, json)
+- raw_again = JSON.parse(json)
++ raw_again = JSON.parse(json, :create_additions => true)
+ assert_equal raw, raw_again
+ end
+
+@@ -130,17 +138,17 @@
+
+ def test_core
+ t = Time.now
+- assert_equal t, JSON(JSON(t))
++ assert_equal t, JSON(JSON(t), :create_additions => true)
+ d = Date.today
+- assert_equal d, JSON(JSON(d))
++ assert_equal d, JSON(JSON(d), :create_additions => true)
+ d = DateTime.civil(2007, 6, 14, 14, 57, 10, Rational(1, 12), 2299161)
+- assert_equal d, JSON(JSON(d))
+- assert_equal 1..10, JSON(JSON(1..10))
+- assert_equal 1...10, JSON(JSON(1...10))
+- assert_equal "a".."c", JSON(JSON("a".."c"))
+- assert_equal "a"..."c", JSON(JSON("a"..."c"))
++ assert_equal d, JSON(JSON(d), :create_additions => true)
++ assert_equal 1..10, JSON(JSON(1..10), :create_additions => true)
++ assert_equal 1...10, JSON(JSON(1...10), :create_additions => true)
++ assert_equal "a".."c", JSON(JSON("a".."c"), :create_additions => true)
++ assert_equal "a"..."c", JSON(JSON("a"..."c"), :create_additions => true)
+ s = MyJsonStruct.new 4711, 'foot'
+- assert_equal s, JSON(JSON(s))
++ assert_equal s, JSON(JSON(s), :create_additions => true)
+ struct = Struct.new :foo, :bar
+ s = struct.new 4711, 'foot'
+ assert_raises(JSONError) { JSON(s) }
+@@ -148,41 +156,41 @@
+ raise TypeError, "test me"
+ rescue TypeError => e
+ e_json = JSON.generate e
+- e_again = JSON e_json
++ e_again = JSON e_json, :create_additions => true
+ assert_kind_of TypeError, e_again
+ assert_equal e.message, e_again.message
+ assert_equal e.backtrace, e_again.backtrace
+ end
+- assert_equal(/foo/, JSON(JSON(/foo/)))
+- assert_equal(/foo/i, JSON(JSON(/foo/i)))
++ assert_equal(/foo/, JSON(JSON(/foo/), :create_additions => true))
++ assert_equal(/foo/i, JSON(JSON(/foo/i), :create_additions => true))
+ end
+
+ def test_utc_datetime
+ now = Time.now
+- d = DateTime.parse(now.to_s) # usual case
+- assert_equal d, JSON.parse(d.to_json)
++ d = DateTime.parse(now.to_s, :create_additions => true) # usual case
++ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
+ d = DateTime.parse(now.utc.to_s) # of = 0
+- assert_equal d, JSON.parse(d.to_json)
++ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
+ d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(1,24))
+- assert_equal d, JSON.parse(d.to_json)
++ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
+ d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(12,24))
+- assert_equal d, JSON.parse(d.to_json)
++ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
+ end
+
+ def test_rational_complex
+- assert_equal Rational(2, 9), JSON(JSON(Rational(2, 9)))
+- assert_equal Complex(2, 9), JSON(JSON(Complex(2, 9)))
++ assert_equal Rational(2, 9), JSON.parse(JSON(Rational(2, 9)), :create_additions => true)
++ assert_equal Complex(2, 9), JSON.parse(JSON(Complex(2, 9)), :create_additions => true)
+ end
+
+ def test_bigdecimal
+- assert_equal BigDecimal('3.141', 23), JSON(JSON(BigDecimal('3.141', 23)))
+- assert_equal BigDecimal('3.141', 666), JSON(JSON(BigDecimal('3.141', 666)))
++ assert_equal BigDecimal('3.141', 23), JSON(JSON(BigDecimal('3.141', 23)), :create_additions => true)
++ assert_equal BigDecimal('3.141', 666), JSON(JSON(BigDecimal('3.141', 666)), :create_additions => true)
+ end
+
+ def test_ostruct
+ o = OpenStruct.new
+ # XXX this won't work; o.foo = { :bar => true }
+ o.foo = { 'bar' => true }
+- assert_equal o, JSON(JSON(o))
++ assert_equal o, JSON.parse(JSON(o), :create_additions => true)
+ end
+ end
+--- a/tests/test_json_generic_object.rb
++++ b/tests/test_json_generic_object.rb
+@@ -20,16 +20,30 @@
+ end
+
+ def test_generate_json
+- assert_equal @go, JSON(JSON(@go))
++ switch_json_creatable do
++ assert_equal @go, JSON(JSON(@go), :create_additions => true)
++ end
+ end
+
+ def test_parse_json
+- assert_equal @go, l = JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }')
+- assert_equal 1, l.a
+- assert_equal @go, l = JSON('{ "a": 1, "b": 2 }', :object_class => GenericObject)
+- assert_equal 1, l.a
+- assert_equal GenericObject[:a => GenericObject[:b => 2]],
+- l = JSON('{ "a": { "b": 2 } }', :object_class => GenericObject)
+- assert_equal 2, l.a.b
++ assert_kind_of Hash, JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }', :create_additions => true)
++ switch_json_creatable do
++ assert_equal @go, l = JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }', :create_additions => true)
++ assert_equal 1, l.a
++ assert_equal @go, l = JSON('{ "a": 1, "b": 2 }', :object_class => GenericObject)
++ assert_equal 1, l.a
++ assert_equal GenericObject[:a => GenericObject[:b => 2]],
++ l = JSON('{ "a": { "b": 2 } }', :object_class => GenericObject)
++ assert_equal 2, l.a.b
++ end
++ end
++
++ private
++
++ def switch_json_creatable
++ JSON::GenericObject.json_creatable = true
++ yield
++ ensure
++ JSON::GenericObject.json_creatable = false
+ end
+ end
+--- a/tests/test_json_string_matching.rb
++++ b/tests/test_json_string_matching.rb
+@@ -27,14 +27,13 @@
+ t = TestTime.new
+ t_json = [ t ].to_json
+ assert_equal [ t ],
+- JSON.parse(t_json,
++ JSON.parse(t_json, :create_additions => true,
+ :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
+ assert_equal [ t.strftime('%FT%T%z') ],
+- JSON.parse(t_json,
++ JSON.parse(t_json, :create_additions => true,
+ :match_string => { /\A\d{3}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
+ assert_equal [ t.strftime('%FT%T%z') ],
+ JSON.parse(t_json,
+- :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime },
+- :create_additions => false)
++ :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
+ end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 594b1c7..f5f0899 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
02-fix-fuzz.rb-shebang.patch
04-fix-tests-path.patch
+10-fix-CVE-2013-0269.patch
--
ruby-json.git
More information about the Pkg-ruby-extras-commits
mailing list