[MIR] Promote ruby-json to main as a pcs dependency

Bug #1990572 reported by Lucas Kanashiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby-json (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

[Availability]

The package ruby-json is already in Ubuntu universe.

The package ruby-json build for the architectures it is designed to work on.

It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x.

Link to package [[https://launchpad.net/ubuntu/+source/ruby-json|ruby-json]]

[Rationale]

ruby-json promotion to main is needed because of the
[[https://bugs.launchpad.net/ubuntu/+source/pcs/+bug/1953341|pcs promotion]]. It is one of its runtime dependencies in universe.

Ideally, we expect that ruby-json (and pcs) will be promoted in the "L" development cycle. The idea is to promote only the ruby-json binary.

[Security]

Required links:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=json+gem

I looked for "json gem" which brings some unrelated CVEs but also two that are associated to this package, they are: CVE-2020-10663 and CVE-2013-0269.

https://www.openwall.com/lists/oss-security/2013/02/11/8

In the OSS security mailing list I found only an email thread about
CVE-2013-0269 already mentioned above.

https://ubuntu.com/security/cves?package=ruby-json

And in the Ubuntu security tracker only 2 CVEs, both of medium priority, and they seem to not be affecting the package in Ubuntu.

This is a ruby library which does not provide any executable, nor systemd files.

[Quality assurance - function/usage]

The package works well right after install.

[Quality assurance - maintenance]

The package is maintained well in Debian/Ubuntu and has not too many and long
term critical bugs open:

- Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bugs
- Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=ruby-json

The package does not deal with exotic hardware we cannot support.

[Quality assurance - testing]

The package runs a test suite on build time, if it fails
it makes the build fail, link to build log:

https://launchpad.net/ubuntu/+source/ruby-json/2.5.1+dfsg-2build1/+build/22585004/+files/buildlog_ubuntu-jammy-amd64.ruby-json_2.5.1+dfsg-2build1_BUILDING.txt.gz

The package runs an autopkgtest, and is currently passing on this list of
architectures: amd64, arm64, armhf, i386, ppc64el, s390x.

Link to test logs: https://autopkgtest.ubuntu.com/packages/ruby-json

The package does have not failing autopkgtests right now.

[Quality assurance - packaging]

debian/watch is present and works.

debian/control defines a correct Maintainer field.

Lintian overrides are not present. Here is the output of `lintian --pedantic` against Kinetic version:

P: ruby-json source: update-debian-copyright 2011 vs 2021 [debian/copyright:17]
P: ruby-json source: very-long-line-length-in-source-file tests/json_addition_test.rb line 130 is 949 characters long (>512)

This package does not rely on obsolete or about to be demoted packages.

The package will not be installed by default.

Packaging and build is easy, link to d/rules:

https://git.launchpad.net/ubuntu/+source/ruby-json/tree/debian/rules

[UI standards]

Application is not end-user facing (does not need translation).

[Dependencies]

No further depends or recommends dependencies that are not yet in main. This is for the ruby-json binary.

[Standards compliance]

This package correctly follows FHS and Debian Policy.

[Maintenance/Owner]

The Server team is not yet, but will subscribe to the package before promotion.

This does not use static builds.

This does not use vendored code.

This package is not rust based.

The package successfully built during the most recent test rebuild.

[Background information]

The Package description explains the package well.

Upstream Name is: json

Link to upstream project: https://github.com/flori/json

Tags: sec-1401
description: updated
Changed in ruby-json (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.0 KiB)

Review for Package: ruby-json

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: ruby-json
Specific binary packages built, but NOT to be promoted to main: <none>

Note:
This was already in main in Trusty and before. So I expect no major
showtoppers now since it was not unmaintained since then.

Required TODOs:
- Update to 2.6.2 as the package wasn't updated in a while

[Duplication]
OK:
There is no other package in main providing the same functionality.
There seems to be enough developer debate which json lib to pick for
something like https://github.com/intridea/multi_json to exist.
But even they state that the one we review here is "The default JSON gem"
and that it is the one shipping with later ruby versions.
So I guess we are ok to promote this one over alternatives.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- While not concerning there have been CVEs (just what you expect with parsers
  of any content). Of them CVE-2013-0269 was fixed long agoi, but CVE-2020-10663
  isn't mentioned anywhere - I checked the fix for ruby 2.5 and that change is
  present, so it isn't an open case. But still things can happen, so it seems
  worth to do a security evaluation as well.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no special HW needed for testing
- no new python2 dependency

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
  While it would be nice, for the purpose of this SW I do not consider
  this critical

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- promoting this does not seem to cause issues for MOTUs that so far
 ...

Read more...

Changed in ruby-json (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
tags: added: sec-1401
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for the review Christian.

I uploaded version 2.6.2+dfsg-1 to Debian unstable and should be synced into lunar soon. Also added myself as one of the uploaders.

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed ruby-json 2.5.1+dfsg-2build1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> This is a implementation of the JSON specification according to RFC 7159 http://www.ietf.org/rfc/rfc7159.txt .

- CVE History:
  - CVE-2013-0269 and CVE-2020-10663
  - open memory bugs in github issue tracker
  - project does not have a security policy
  - downstream projects should use JSON.parse for untrusted input instead of JSON.load
    - see CVE-2022-32511
- Build Depends?
  - lunar main
    - debhelper-compat (debhelper)
    - ruby (ruby-defaults)
  - lunar universe
    - gem2deb
    - ruby-test-unit
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - runs build tests from upstream
  - all autopkgtests pass
- cron jobs?
  - none
- Build logs:
  - looks good

- Processes spawned?
  - none
  - files in tests not security relevant
    - tests/envutil.rb contains system(sudo x)
- Memory management?
  - looks okay
- File IO?
  - none
  - only examples
  - see logging for STDOUT
- Logging?
  - tools and tests logging ignored for security MIR
  - contains calls to dump json to STDOUT
- Environment variable usage?
  - use in Gemfile and Rakefile okay
  - all other uses are in tests
- Use of privileged functions?
  - only in tests
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - no
  - tools/server.rb is used for testing and demonstrating receiving JSON with a webrick server
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - uninitialized variable in ext/json/ext/fbuffer/fbuffer.h
- Any significant Coverity results?
  - nothing significant
- Any significant shellcheck results?
  - minor issues in ./debian/repack.sh and ./tools/diff.sh not relevant to security MIR
- Any significant bandit results?
  - none
- Any significant rubocop results?
  - most are ./tests/ related
  - JSON.load in this case is safe

./tools/fuzz.rb is a nice security add. Developers seem security conscious.

With Debian bug 890046, jruby support was deprecated. Code from ./java/ is no longer used in this package. Ideally this folder should be removed before inclusion to main. The safety of this ./java/ code was not reviewed for security and is not included in this MIR.

Security team ACK for promoting ruby-json to main.

Changed in ruby-json (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → In Progress
Revision history for this message
Mark Esler (eslerm) wrote (last edit ):

Please note that the build dependencies gem2deb and ruby-test-unit are not in main.

edit: these dependencies are only required for build and do not require an MIR

Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Re: [Bug 1990572] Re: [MIR] Promote ruby-json to main as a pcs dependency

On Sat, Jan 21, 2023 at 12:00 AM Mark Esler <email address hidden> wrote:
>
> Please note that the build dependencies gem2deb and ruby-test-unit are
> not in main.

That is fine as, since Trusty, only runtime dependencies have to be in main.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While this would be ready.
But due to changes that were made along the other feedback of promoting PCS this isn't needed anymore.

Marking as incomplete
Assigning to Lucas to unsubscribe is (if you agree).

Changed in ruby-json (Ubuntu):
status: In Progress → Incomplete
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for checking this Christian. I saw your comment in the pcs MIR bug mentioning that ruby-json is not showing up as a component-mismatch. That intrigued me since pcs does depend on the json gem during runtime (there is an explicit dependency statement in d/control), however, libruby3.1 is providing the json gem. So yes, no need to promote the src:ruby-json for now.

Changed in ruby-json (Ubuntu):
assignee: Lucas Kanashiro (lucaskanashiro) → nobody
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.