Bug 245023 - devel/rubygem-json: Update to 2.3.0 (CVE-2020-10663)
Summary: devel/rubygem-json: Update to 2.3.0 (CVE-2020-10663)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-ruby (Nobody)
URL: https://www.ruby-lang.org/en/news/202...
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2020-03-24 01:54 UTC by Koichiro Iwao
Modified: 2020-04-03 02:56 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)
koobs: merge-quarterly?


Attachments
patch (788 bytes, text/plain)
2020-03-24 01:54 UTC, Koichiro Iwao
no flags Details
vuxml-patch (2.23 KB, patch)
2020-03-25 00:29 UTC, Koichiro Iwao
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Koichiro Iwao freebsd_committer 2020-03-24 01:54:17 UTC
Created attachment 212665 [details]
patch

See also: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Not tested ports depends on rubygem-json works properly after update.
Comment 1 Koichiro Iwao freebsd_committer 2020-03-24 01:58:19 UTC
I'll try to test it later but any helps appreciated.
Also I think vuxml needs to be updated but I've never done that before.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-24 03:27:37 UTC
(In reply to Koichiro Iwao from comment #1)

Steps to create vuxml entry:

1) cd to security/vuxml in ports development tree
2) make install clean (installs vuxml validation tools)
3) make newentry
4) edit new entry that was created in vuxml.xml by (3)
5) Run `make validate` to validate the entry
6) svn diff in security/vuxml to create patch
Comment 3 Koichiro Iwao freebsd_committer 2020-03-25 00:29:00 UTC
Created attachment 212683 [details]
vuxml-patch
Comment 4 Koichiro Iwao freebsd_committer 2020-03-25 01:10:02 UTC
With quick lookup, following ports are effected. Performing build tests on this.

% pkg rquery %ro rubygem-json
security/metasploit
net/foreman-proxy
www/rubygem-tumblr_client
net/rubygem-twitter4r
security/rubygem-twitter_oauth
graphics/rubygem-emoji
devel/rubygem-fog
net/rubygem-fog-gridscale
devel/rubygem-gem-compare
graphics/rubygem-gemojione
graphics/rubygem-gemojione32
devel/rubygem-gems
devel/rubygem-jenkins_api_client
devel/rubygem-kafo_parsers
www/rubygem-nicovideo
devel/rubygem-oci
net/rubygem-opennebula
net/rubygem-ovirt-engine-sdk
net-mgmt/rubygem-oxidized-web
www/rubygem-pagerduty
converters/rubygem-po_to_json
www/rubygem-pusher-client
devel/rubygem-apipie-bindings
net/rubygem-rbvmomi
devel/rubygem-recaptcha
net-mgmt/rubygem-riemann-tools
sysutils/rubygem-backup
devel/rubygem-rubytree
net/rubygem-rubytter
comms/rubygem-callsign
devel/rubygem-cloudfiles
irc/rubygem-cogbot
devel/rubygem-simplecov
net/rubygem-dropbox-sdk
Comment 5 Koichiro Iwao freebsd_committer 2020-03-25 05:20:09 UTC
Except for irc/rubygem-cogbot, it looks fine. Regarding that port, I submitted patch at bug 245044.

====> Compressing man pages (compress-man)
===========================================================================
====> Running Q/A tests (stage-qa)
Error: RubyGem dependency json ~> 2.1.0 is not satisfied.
*** Error code 1

Stop.
make: stopped in /usr/ports/irc/rubygem-cogbot
=>> Error: stage-qa failures detected
build of irc/rubygem-cogbot | rubygem-cogbot-0.1.13_5 ended at Wed Mar 25 11:25:31 JST 2020
build time: 00:00:33
!!! build failure encountered !!!
[00:01:40] Error: Build failed in phase: stage-qa
[00:01:40] Cleaning up
[00:01:40] Unmounting file systems
Comment 6 commit-hook freebsd_committer 2020-03-26 04:41:04 UTC
A commit references this bug:

Author: meta
Date: Thu Mar 26 04:40:23 UTC 2020
New revision: 529161
URL: https://svnweb.freebsd.org/changeset/ports/529161

Log:
  security/vuxml: Document CVE-2020-10663 (devel/rubygem-json)

  PR:		245023

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-03-26 04:59:08 UTC
A commit references this bug:

Author: meta
Date: Thu Mar 26 04:58:13 UTC 2020
New revision: 529164
URL: https://svnweb.freebsd.org/changeset/ports/529164

Log:
  devel/rubygem-json: Update to 2.3.0

  This update includes fixes for CVE-2020-10663 [1].

  [1] https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

  PR:		245023
  MFH:		2020Q1
  Security:	40194e1c-6d89-11ea-8082-80ee73419af3

Changes:
  head/devel/rubygem-json/Makefile
  head/devel/rubygem-json/distinfo
Comment 8 Koichiro Iwao freebsd_committer 2020-04-03 02:56:04 UTC
New quarterly branch has been branched so the fix is applied to quarterly.