Path: csiph.com!fu-berlin.de!news.servidellagleba.it!bofh.it!news.nic.it!robomod
From: Tobias Frost <tobi@debian.org>
Newsgroups: linux.debian.security
Subject: Re: CVE-2023-33460, ruby-yajl affected?
Date: Wed, 05 Jul 2023 18:20:01 +0200
Message-ID: <GOdot-3ap1-5@gated-at.bofh.it>
References: <GO2Mp-33D9-5@gated-at.bofh.it> <GO79n-36vc-7@gated-at.bofh.it>
X-Mailbox-Line: From debian-security-request@lists.debian.org  Wed Jul  5 16:12:27 2023
Old-Return-Path: <tobi@debian.org>
X-Amavis-Spam-Status: No, score=-109.52 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, MD5_SHA1_SUM=-1, RCVD_IN_DNSWL_MED=-2.3, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=ham autolearn_force=no
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Debian-User: tobi
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/29403
List-ID: <debian-security.lists.debian.org>
List-URL: <https://lists.debian.org/debian-security/>
List-Archive: https://lists.debian.org/msgid-search/ZKWSxtlwhX5kpx+B@isildor.loewenhoehle.ip
Approved: robomod@news.nic.it
Lines: 19
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: debian-security@lists.debian.org, Debian LTS <debian-lts@lists.debian.org>, Anton Gladky <gladk@debian.org>
X-Original-Date: Wed, 5 Jul 2023 17:56:54 +0200
X-Original-Message-ID: <ZKWSxtlwhX5kpx+B@isildor.loewenhoehle.ip>
X-Original-References: <CALF6qJnB54MTcMXLFSj1vz1BA-J0mdUjEYGDjBiWrFk=ZLxVqg@mail.gmail.com> <3389473.b9s1R4cD0y@portable-bastien>
Xref: csiph.com linux.debian.security:6237

On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucariès wrote:
> Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> > Hello,
> > 
> > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> > is affected. There is no direct dependency on yajl, where the vulnerability
> > was detected.
> ruby-yajl include a old version of yajl 1.01.12
> 
> The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

I've added note in data/CVE/list accordingly.

-- 
Cheers,
tobi