rails: CVE-2013-0333: Vulnerability in JSON Parser

Bug #1119256 reported by Stefan Sänger
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ruby-activesupport-2.3 (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
High
Unassigned
Precise
Fix Released
High
Unassigned
Quantal
Fix Released
High
Unassigned
Raring
Fix Released
Undecided
Unassigned

Bug Description

The CVE mentioned in summary caused quite some media attention in germany. According to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699249#19 this problem is solved in debian upstream, but there has been no security update for precise so far.

This is quite strange - is there nobody maintaining ruby-activesupport for precise (LTS!) anymore?

I only saw a later package for raring so far, but I did not check if the required patch is incorporated there.

Tags: patch
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ruby-activesupport-2.3 (Ubuntu):
status: New → Incomplete
Revision history for this message
Stefan Sänger (stefan-saenger) wrote :

Hi Marc,

I just had a closer look. The only difference that has been done by Debian developer team is to add CVE-2013-0333.patch - very similar to what you have done for CVE-2013-0156. So, I just added the patch from debian package here.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2013-0333.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Stefan Sänger (stefan-saenger) wrote :

Hi all,

I am not sure why there is so little progress here. The patch I attached is the one mentioned in debian bugtracker, and I provided the link in my initial report. Also, I tried to build a new package containing the patch for myself - which was rather easy, since I only had to adjust changelog, control and put the patch to the right location. After that, dpkg-buildpackage worked really well.

So I wonder If I can do anything else to get that patch into official ubuntu repositories?
It has been two weeks ago that this news message raised my attention: http://www.h-online.com/security/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html
I just checked for ubuntu status and discovered, that there is no updated package. Well - I decided to give it some time., since the patch was already available for debian I figured it would only need some time to be available in ubuntu as well. After waiting some days I checked again - and there is no update. So I tried to hit launchpad, but up to now I am getting the impression that it is not leading anywhere? So - in the end my question is: what can I do to help here?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

> what can I do to help here?

Thanks Stefan; the most useful next step would be preparing a debdiff for this issue. Some further information can be found at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

Thanks

Revision history for this message
Stefan Sänger (stefan-saenger) wrote :

Hi guys, here is the debdiff I created. In addition, I really just added the patch to debian/patches and updated series and changelog accordingly.

Revision history for this message
Stefan Sänger (stefan-saenger) wrote :

and finally - here is the package I created. Is it the common way to just add these updates here in launchpad?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Subscribing ubuntu-security-sponsors as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Submission

Changed in ruby-activesupport-2.3 (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Stefan, thanks for attending to this bug. Your debdiff is incomplete however because it patches debian/changelog. As for the binary package, we don't submit those in Launchpad but instead submit patches to source packages in the form of debdiffs. These are then reviewed and applied to source packages, then uploaded to be built, tested and eventually published to Ubuntu users.

Since this is an important update and in the interest of time, I am going to incorporate the initial patch you submitted (the one from Debian) to 11.10 - 12.10 (this is already fixed in 13.04).

If you are interested in contributing to Ubuntu in this manner in the future, I suggest you read https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Thanks again :)

Changed in ruby-activesupport-2.3 (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → High
Changed in ruby-activesupport-2.3 (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
Changed in ruby-activesupport-2.3 (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → High
Changed in ruby-activesupport-2.3 (Ubuntu Raring):
status: Triaged → Fix Released
Changed in ruby-activesupport-2.3 (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in ruby-activesupport-2.3 (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in ruby-activesupport-2.3 (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-2ubuntu0.12.04.2

---------------
ruby-activesupport-2.3 (2.3.14-2ubuntu0.12.04.2) precise-security; urgency=low

  * SECURITY UPDATE: Add an OkJson backend and remove the YAML backend to
    resolve improper conversion of JSON to YAML (LP: #1119256)
    - debian/patches/CVE-2013-0333.patch: added patch from Debian 2.3.14-6
    - CVE-2013-0333
 -- Jamie Strandboge <email address hidden> Wed, 13 Feb 2013 10:47:34 -0600

Changed in ruby-activesupport-2.3 (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-4ubuntu0.2

---------------
ruby-activesupport-2.3 (2.3.14-4ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: Add an OkJson backend and remove the YAML backend to
    resolve improper conversion of JSON to YAML (LP: #1119256)
    - debian/patches/CVE-2013-0333.patch: added patch from Debian 2.3.14-6
    - CVE-2013-0333
 -- Jamie Strandboge <email address hidden> Wed, 13 Feb 2013 10:41:04 -0600

Changed in ruby-activesupport-2.3 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-2ubuntu0.11.10.2

---------------
ruby-activesupport-2.3 (2.3.14-2ubuntu0.11.10.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Add an OkJson backend and remove the YAML backend to
    resolve improper conversion of JSON to YAML (LP: #1119256)
    - debian/patches/CVE-2013-0333.patch: added patch from Debian 2.3.14-6
    - CVE-2013-0333
 -- Jamie Strandboge <email address hidden> Wed, 13 Feb 2013 10:48:42 -0600

Changed in ruby-activesupport-2.3 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.