Security Fix json-1.1.7 for json_pure and json gems

Ruby
1

Synopsis

Security Fix Release json-1.1.7 for json_pure and json gems.

Description

The JSON::Pure::Parser contains a vulnerability that may lead to
catastrophic backtracking in one of its regular expressions. This
vulnerability doesn’t affect the JSON::Ext::Parser or Rail’s
Active::Support::JSON. Ruby 1.9.1 (but not Ruby 1.9 trunk) contains
the vulnerable json/pure code as well, so if you want to use the pure
parser you should update to a newer version or use the json gem 1.1.7
version.

Impact

An attacker can cause a denial of service attack by passing a
specially designed string into the JSON::Pure::Parser#parse method.

Affected versions

  • versions 1.1.0-1.1.6 of the JSON::Pure::Parser

Credit

Thanks to Bartosz Blimke for reporting this bug.

Changes

2009-06-29 (1.1.7)

  • Security Fix for JSON::Pure::Parser. A specially designed string
    could cause catastrophic backtracking in one of the parser’s
    regular expressions in earlier 1.1.x versions. JSON::Ext::Parser
    isn’t affected by this issue. Thanks to Bartosz Blimke
    [email protected] for reporting this problem.
  • This release also uses a less strict ruby version requirement for
    the creation of the mswin32 native gem.

Download

Version 1.1.7 of json and json_pure on
http://rubyforge.org/frs/?group_id=953