Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: cj...@packages.debian.org Control: affects -1 + src:cjson
[ Reason ] CVE-2023-50472, CVE-2023-50471 [ Impact ] Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c [ Tests ] Upstream's test continue to pass, and they have also added new tests to cover this security issue. [ Risks ] Minimal, no change to API. Only minimal changes were made to fix this security issue. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - Set myself as Maintainer (I am adopting the package, #1067510) - Bump Standards-Version to 4.6.2 - Add Build-Depends-Package to symbools - Backport upstream's patch to 'add NULL checkings'. Upstream adds a few more if statements to avoid the segmentation fault, and thus resolve the security vulnerability. [ Other info ] If you can spare the time, could you please upload this for me? (I need a sponsor, #1068624.) I'm also still waiting for someone to give me access to the Salsa repo. Thanks, Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300 @@ -1,3 +1,13 @@ +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium + + * Update Maintainer field + * Bump Standards-Version to 4.6.2 (no changes) + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) + (Closes: #1059287) + * Add Build-Depends-Package to symbols + + -- Maytham Alsudany <maytha8the...@gmail.com> Wed, 03 Apr 2024 06:57:10 +0300 + cjson (1.7.15-1) unstable; urgency=medium * New upstream release 1.7.15. diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control --- cjson-1.7.15/debian/control 2021-08-29 23:29:57.000000000 +0300 +++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.000000000 +0300 @@ -1,10 +1,10 @@ Source: cjson Section: libs Priority: optional -Maintainer: Boyuan Yang <by...@debian.org> +Maintainer: Maytham Alsudany <maytha8the...@gmail.com> Build-Depends: cmake, debhelper-compat (= 13) Rules-Requires-Root: no -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Homepage: https://github.com/DaveGamble/cJSON Vcs-Git: https://salsa.debian.org/debian/cjson.git Vcs-Browser: https://salsa.debian.org/debian/cjson diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf --- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/gbp.conf 2024-04-03 06:56:58.000000000 +0300 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bookworm diff -Nru cjson-1.7.15/debian/libcjson1.symbols cjson-1.7.15/debian/libcjson1.symbols --- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.000000000 +0300 +++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.000000000 +0300 @@ -1,4 +1,5 @@ libcjson.so.1 libcjson1 #MINVER# +* Build-Depends-Package: libcjson-dev cJSON_AddArrayToObject@Base 1.7.5 cJSON_AddBoolToObject@Base 1.7.5 cJSON_AddFalseToObject@Base 1.7.5 diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch --- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03 06:51:36.000000000 +0300 @@ -0,0 +1,101 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 +From: Peter Alfred Lee <peter...@apache.com> +Bug: https://github.com/DaveGamble/cJSON/issues/803 +Bug: https://github.com/DaveGamble/cJSON/issues/802 +Bug-Debian: https://bugs.debian.org/1059287 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] add NULL checkings (#809) + * add NULL checks in cJSON_SetValuestring + Fixes #803(CVE-2023-50472) + . + * add NULL check in cJSON_InsertItemInArray + Fixes #802(CVE-2023-50471) + . + * add tests for NULL checks + add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring + +--- a/cJSON.c ++++ b/cJSON.c +@@ -401,7 +401,12 @@ + { + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ +- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ { ++ return NULL; ++ } ++ /* return NULL if the object is corrupted */ ++ if (object->valuestring == NULL) + { + return NULL; + } +@@ -2260,7 +2265,7 @@ + { + cJSON *after_inserted = NULL; + +- if (which < 0) ++ if (which < 0 || newitem == NULL) + { + return false; + } +@@ -2271,6 +2276,11 @@ + return add_item_to_array(array, newitem); + } + ++ if (after_inserted != array->child && newitem->prev == NULL) { ++ /* return false if after_inserted is a corrupted array item */ ++ return false; ++ } ++ + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -353,6 +353,19 @@ + { + char buffer[10]; + cJSON *item = cJSON_CreateString("item"); ++ cJSON *array = cJSON_CreateArray(); ++ cJSON *item1 = cJSON_CreateString("item1"); ++ cJSON *item2 = cJSON_CreateString("corrupted array item3"); ++ cJSON *corruptedString = cJSON_CreateString("corrupted"); ++ struct cJSON *originalPrev; ++ ++ add_item_to_array(array, item1); ++ add_item_to_array(array, item2); ++ ++ originalPrev = item2->prev; ++ item2->prev = NULL; ++ free(corruptedString->valuestring); ++ corruptedString->valuestring = NULL; + + cJSON_InitHooks(NULL); + TEST_ASSERT_NULL(cJSON_Parse(NULL)); +@@ -412,6 +425,8 @@ + cJSON_DeleteItemFromObject(item, NULL); + cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item"); + cJSON_DeleteItemFromObjectCaseSensitive(item, NULL); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL)); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL)); + TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item)); +@@ -428,10 +443,16 @@ + TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true)); + TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false)); + TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); + cJSON_Minify(NULL); + /* skipped because it is only used via a macro that checks for NULL */ + /* cJSON_SetNumberHelper(NULL, 0); */ + ++ /* restore corrupted item2 to delete it */ ++ item2->prev = originalPrev; ++ cJSON_Delete(corruptedString); ++ cJSON_Delete(array); + cJSON_Delete(item); + } + diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series --- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/series 2024-04-03 06:40:03.000000000 +0300 @@ -0,0 +1 @@ +0001-add-null-checkings.patch