I reviewed ruby-json 2.5.1+dfsg-2build1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
- CVE History:
- CVE-2013-0269 and CVE-2020-10663
- open memory bugs in github issue tracker
- project does not have a security policy
- downstream projects should use JSON.parse for untrusted input instead of JSON.load
- see CVE-2022-32511
- Build Depends?
- lunar main
- debhelper-compat (debhelper)
- ruby (ruby-defaults)
- lunar universe
- gem2deb
- ruby-test-unit
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- none
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- runs build tests from upstream
- all autopkgtests pass
- cron jobs?
- none
- Build logs:
- looks good
- Processes spawned?
- none
- files in tests not security relevant
- tests/envutil.rb contains system(sudo x)
- Memory management?
- looks okay
- File IO?
- none
- only examples
- see logging for STDOUT
- Logging?
- tools and tests logging ignored for security MIR
- contains calls to dump json to STDOUT
- Environment variable usage?
- use in Gemfile and Rakefile okay
- all other uses are in tests
- Use of privileged functions?
- only in tests
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- no
- tools/server.rb is used for testing and demonstrating receiving JSON with a webrick server
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- uninitialized variable in ext/json/ext/fbuffer/fbuffer.h
- Any significant Coverity results?
- nothing significant
- Any significant shellcheck results?
- minor issues in ./debian/repack.sh and ./tools/diff.sh not relevant to security MIR
- Any significant bandit results?
- none
- Any significant rubocop results?
- most are ./tests/ related
- JSON.load in this case is safe
./tools/fuzz.rb is a nice security add. Developers seem security conscious.
With Debian bug 890046, jruby support was deprecated. Code from ./java/ is no longer used in this package. Ideally this folder should be removed before inclusion to main. The safety of this ./java/ code was not reviewed for security and is not included in this MIR.
Security team ACK for promoting ruby-json to main.
I reviewed ruby-json 2.5.1+dfsg-2build1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
> This is a implementation of the JSON specification according to RFC 7159 http:// www.ietf. org/rfc/ rfc7159. txt .
- CVE History:
- CVE-2013-0269 and CVE-2020-10663
- open memory bugs in github issue tracker
- project does not have a security policy
- downstream projects should use JSON.parse for untrusted input instead of JSON.load
- see CVE-2022-32511
- Build Depends?
- lunar main
- debhelper-compat (debhelper)
- ruby (ruby-defaults)
- lunar universe
- gem2deb
- ruby-test-unit
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- none
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- runs build tests from upstream
- all autopkgtests pass
- cron jobs?
- none
- Build logs:
- looks good
- Processes spawned?
- none
- files in tests not security relevant
- tests/envutil.rb contains system(sudo x)
- Memory management?
- looks okay
- File IO?
- none
- only examples
- see logging for STDOUT
- Logging?
- tools and tests logging ignored for security MIR
- contains calls to dump json to STDOUT
- Environment variable usage?
- use in Gemfile and Rakefile okay
- all other uses are in tests
- Use of privileged functions?
- only in tests
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- no
- tools/server.rb is used for testing and demonstrating receiving JSON with a webrick server
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results? ext/fbuffer/ fbuffer. h
- uninitialized variable in ext/json/
- Any significant Coverity results?
- nothing significant
- Any significant shellcheck results?
- minor issues in ./debian/repack.sh and ./tools/diff.sh not relevant to security MIR
- Any significant bandit results?
- none
- Any significant rubocop results?
- most are ./tests/ related
- JSON.load in this case is safe
./tools/fuzz.rb is a nice security add. Developers seem security conscious.
With Debian bug 890046, jruby support was deprecated. Code from ./java/ is no longer used in this package. Ideally this folder should be removed before inclusion to main. The safety of this ./java/ code was not reviewed for security and is not included in this MIR.
Security team ACK for promoting ruby-json to main.