Bug#555516: s-p-u: libjson-ruby security issues
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Bug#555516: s-p-u: libjson-ruby security issues
by Ryan Niebur-3
::
Rate this Message:
Package: release.debian.org
Severity: normal User: release.debian.org@... Usertags: pu ----- Forwarded message from Ryan Niebur <ryan@...> ----- > Date: Sun, 8 Nov 2009 22:50:11 -0800 > From: Ryan Niebur <ryan@...> > Subject: permission for s-p-u upload for libjson-ruby security issues > To: debian-release@... > > Two security issues. Here's the changelog entry: > > libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low > > * Security Fix for JSON::Pure::Parser. A specially designed string > could cause catastrophic backtracking in one of the parser's regular > expressions. (fixed upstream in version 1.1.7) > * Use the version of prototype.js from libjs-prototype. The included > version had a security issue. (Closes: #555224, #555223) > > -- Ryan Niebur <ryan@...> Sun, 08 Nov 2009 22:33:47 -0800 > > Attached is a debdiff. > > Okay to upload? > > -- > _________________________ > Ryan Niebur > ryanryan52@... > diff -u libjson-ruby-1.1.2/debian/control libjson-ruby-1.1.2/debian/control > --- libjson-ruby-1.1.2/debian/control > +++ libjson-ruby-1.1.2/debian/control > @@ -25,6 +25,7 @@ > Package: libjson-ruby-doc > Architecture: all > Section: doc > +Depends: libjs-prototype > Description: JSON library for Ruby (documentation) > This library implements the JSON (JavaScript Object Notation) specification in > Ruby, allowing the developer to easily convert data between Ruby and JSON. You > diff -u libjson-ruby-1.1.2/debian/changelog libjson-ruby-1.1.2/debian/changelog > --- libjson-ruby-1.1.2/debian/changelog > +++ libjson-ruby-1.1.2/debian/changelog > @@ -1,3 +1,13 @@ > +libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low > + > + * Security Fix for JSON::Pure::Parser. A specially designed string > + could cause catastrophic backtracking in one of the parser's regular > + expressions. (fixed upstream in version 1.1.7) > + * Use the version of prototype.js from libjs-prototype. The included > + version had a security issue. (Closes: #555224, #555223) > + > + -- Ryan Niebur <ryan@...> Sun, 08 Nov 2009 22:33:47 -0800 > + > libjson-ruby (1.1.2-1) unstable; urgency=low > > [ Paul van Tilburg ] > diff -u libjson-ruby-1.1.2/debian/rules libjson-ruby-1.1.2/debian/rules > --- libjson-ruby-1.1.2/debian/rules > +++ libjson-ruby-1.1.2/debian/rules > @@ -7,6 +7,11 @@ > BASEDIR = `pwd`/debian > DEB_INSTALL_MANPAGES_edit-json = debian/edit_json.1 debian/prettify_json.1 > > +binary-install/libjson-ruby-doc:: > + rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js > + ln -s /usr/share/javascript/prototype/prototype.js $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js > + dh_link -plibjson-ruby-doc > + > install/libjson-ruby1.8:: > # remove files already installed in edit-json package > rm -r $(BASEDIR)/libjson-ruby1.8/usr/bin > only in patch2: > unchanged: > --- libjson-ruby-1.1.2.orig/lib/json/pure/parser.rb > +++ libjson-ruby-1.1.2/lib/json/pure/parser.rb > @@ -6,9 +6,11 @@ > # into a Ruby data structure. > class Parser < StringScanner > STRING = /" ((?:[^\x0-\x1f"\\] | > + # escaped special characters: > \\["\\\/bfnrt] | > \\u[0-9a-fA-F]{4} | > - \\[\x20-\xff])*) > + # match all but escaped special characters: > + \\[\x20-\x21\x23-\x2e\x30-\x5b\x5d-\x61\x63-\x65\x67-\x6d\x6f-\x71\x73\x75-\xff])*) > "/nx > INTEGER = /(-?0|-?[1-9]\d*)/ > FLOAT = /(-? ----- End forwarded message ----- -- _________________________ Ryan Niebur ryanryan52@... |
|
|
Bug#555516: s-p-u: libjson-ruby security issues
by Adam D. Barratt-29
::
Rate this Message:
|
|
|
Bug#555516: s-p-u: libjson-ruby security issues
by Ryan Niebur
::
Rate this Message:
Hi!
On Sun, Nov 15, 2009 at 08:38:04PM +0000, Adam D. Barratt wrote: > On Mon, 2009-11-09 at 21:11 -0800, Ryan Niebur wrote: > > > Two security issues. Here's the changelog entry: > > > > > > libjson-ruby (1.1.2-1+lenny1) stable-proposed-updates; urgency=low > > > > > > * Security Fix for JSON::Pure::Parser. A specially designed string > > > could cause catastrophic backtracking in one of the parser's regular > > > expressions. (fixed upstream in version 1.1.7) > > > * Use the version of prototype.js from libjs-prototype. The included > > > version had a security issue. (Closes: #555224, #555223) > > Apologies for not getting back to you sooner. > > We've been discussing how to handle the prototype updates and will most > likely approve this update but would like to confirm a couple of things > first: > > a) that the current embedded copy of prototype is an unmodified version > from prototype upstream and > yep. > b) the package has been tested to ensure it operates correctly with the > new version of prototype on the relevant Debian release. > okay. > I have one small query specific to this update: > > > > +binary-install/libjson-ruby-doc:: > > > + rm $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js > > > + ln -s /usr/share/javascript/prototype/prototype.js $(BASEDIR)/libjson-ruby-doc/usr/share/doc/libjson-ruby-doc/examples/prototype.js > > > + dh_link -plibjson-ruby-doc > > There doesn't appear to be a debian/libjson-ruby-doc.links (or indeed > debian/*.links) so the dh_link call appears to redundant. > symlinks to comply with policy. should I upload this? Cheers, Ryan -- _________________________ Ryan Niebur ryanryan52@... |
|
|
Bug#555516: s-p-u: libjson-ruby security issues
by Adam D. Barratt-29
::
Rate this Message:
|
signature.asc (204 bytes) | Free embeddable forum powered by Nabble | Forum Help |
