Bugzilla – Bug 1066565
VUL-1: CVE-2017-16516: rubygem-yajl-ruby: Crafted JSON file allows to crash ruby process with a SIGABRT in the yajl_string_decode function in yajl_encode.c
Last modified: 2018-03-23 12:31:00 UTC
Created attachment 747168 [details]
/usr/bin/ruby poc.rb bar
In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to
Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the
yajl_string_decode function in yajl_encode.c. This results in the whole ruby
process terminating and potentially a denial of service.
42.3/factory have this and poc triggers. SLE 12 GA probably also affected
Rick: I guess you're better than me for the gems :-) Feel free to reassign, though.
The issue is fixed in 1.3.1, I will make sure to update it everywhere.
SUSE-RU-2017:3408-1: An update that fixes one vulnerability is now available.
Category: recommended (moderate)
Bug References: 1066565
CVE References: CVE-2017-1651
SUSE OpenStack Cloud 7 (src): rubygem-yajl-ruby-1.3.1-4.3.2
SUSE OpenStack Cloud 6 (src): rubygem-yajl-ruby-1.3.1-4.3.2
SUSE Enterprise Storage 4 (src): rubygem-yajl-ruby-1.3.1-4.3.2
SUSE Enterprise Storage 3 (src): rubygem-yajl-ruby-1.3.1-4.3.2
@Johannes: Can we close this bug?
(In reply to Rick Salevsky from comment #5)
yes, can be closed. In general you can assign security issues that are done from you POV to security-team and we take it from here