Ubuntu
ruby-json package

  1. Bug #1990572
  2. Comment #3

Comment 3 for bug 1990572

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed ruby-json 2.5.1+dfsg-2build1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> This is a implementation of the JSON specification according to RFC 7159 http://www.ietf.org/rfc/rfc7159.txt .

- CVE History:
  - CVE-2013-0269 and CVE-2020-10663
  - open memory bugs in github issue tracker
  - project does not have a security policy
  - downstream projects should use JSON.parse for untrusted input instead of JSON.load
    - see CVE-2022-32511
- Build Depends?
  - lunar main
    - debhelper-compat (debhelper)
    - ruby (ruby-defaults)
  - lunar universe
    - gem2deb
    - ruby-test-unit
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - runs build tests from upstream
  - all autopkgtests pass
- cron jobs?
  - none
- Build logs:
  - looks good

- Processes spawned?
  - none
  - files in tests not security relevant
    - tests/envutil.rb contains system(sudo x)
- Memory management?
  - looks okay
- File IO?
  - none
  - only examples
  - see logging for STDOUT
- Logging?
  - tools and tests logging ignored for security MIR
  - contains calls to dump json to STDOUT
- Environment variable usage?
  - use in Gemfile and Rakefile okay
  - all other uses are in tests
- Use of privileged functions?
  - only in tests
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - no
  - tools/server.rb is used for testing and demonstrating receiving JSON with a webrick server
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - uninitialized variable in ext/json/ext/fbuffer/fbuffer.h
- Any significant Coverity results?
  - nothing significant
- Any significant shellcheck results?
  - minor issues in ./debian/repack.sh and ./tools/diff.sh not relevant to security MIR
- Any significant bandit results?
  - none
- Any significant rubocop results?
  - most are ./tests/ related
  - JSON.load in this case is safe

./tools/fuzz.rb is a nice security add. Developers seem security conscious.

With Debian bug 890046, jruby support was deprecated. Code from ./java/ is no longer used in this package. Ideally this folder should be removed before inclusion to main. The safety of this ./java/ code was not reviewed for security and is not included in this MIR.

Security team ACK for promoting ruby-json to main.