Your message dated Sat, 13 Apr 2024 18:56:44 +0000
with message-id <e1rviyo-0058dd...@fasolo.debian.org>
and subject line Bug#1033474: fixed in json-smart 2.2-3
has caused the Debian Bug report #1033474,
regarding json-smart: CVE-2023-1370
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1033474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: json-smart
Version: 2.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for json-smart.
CVE-2023-1370[0]:
| [Json-smart](https://netplex.github.io/json-smart/) is a performance
| focused, JSON processor lib. When reaching a &#8216;[&#8216;
| or &#8216;{&#8216; character in the JSON input, the code
| parses an array or an object respectively. It was discovered that the
| code does not have any limit to the nesting of such arrays or objects.
| Since the parsing of nested arrays and objects is done recursively,
| nesting too many of them can cause a stack exhaustion (stack overflow)
| and crash the software.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1370
https://www.cve.org/CVERecord?id=CVE-2023-1370
[1]
https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
[2]
https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: json-smart
Source-Version: 2.2-3
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
json-smart, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated json-smart package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Apr 2024 14:43:01 +0000
Source: json-smart
Architecture: source
Version: 2.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1033474
Changes:
json-smart (2.2-3) unstable; urgency=medium
.
* Team upload
* Add watch file
* Fix CVE-2023-1370: When reaching a ‘[‘ or ‘{‘ character
in the JSON input, the code parses an array or
an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays
or objects. Since the parsing of nested arrays and objects is
done recursively, nesting too many of them can cause
a stack exhaustion (stack overflow) and crash the software.
(Closes: #1033474)
* Use compat level 13
* Bump policy to 4.7.7
* Add salsa-CI
Checksums-Sha1:
9382d735a0c6eb22fe6f440f87370d7815071501 1999 json-smart_2.2-3.dsc
2b9020109eec357581c68d20c786ede3d62097f6 5740 json-smart_2.2-3.debian.tar.xz
92a1016f504df1de1c331ba2dfab33b8b93c035e 14934 json-smart_2.2-3_amd64.buildinfo
Checksums-Sha256:
dcd3ef598ec1fcab84429c966d3e831e7b683f96dc981d06c38af4a6d1522894 1999
json-smart_2.2-3.dsc
da2e03d8383aa613e0395796e20269fd40e0b030d0be9faae510ade8d6f3607d 5740
json-smart_2.2-3.debian.tar.xz
e55bf71b35e5f316a01af4e2d5a63f57144d07276c3a4989eba670b348b7219d 14934
json-smart_2.2-3_amd64.buildinfo
Files:
c3491d3a9c1180b3aa47e385cf70628a 1999 java optional json-smart_2.2-3.dsc
700b6ba60861609cec67f5fd7488f663 5740 java optional
json-smart_2.2-3.debian.tar.xz
e15cd953d4cc385530cb25081bf9a02b 14934 java optional
json-smart_2.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmYazPwRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/mGA/9FFGCBY8h2TFb9okdeQ362m0KEvYwS+VT
aBLB0UOoxDLsqKRqMwUi1A7qahBZ78MKSCiyM10CMdPx7vUl3s/F7ELdk72gK29g
uzK+XgrSGxDy8s/Vi2zGEgzoxSbBQG2fOLyqScUQDk24ihpFSVztU03EIvxJWs5L
ZyhuNRGtnKwVN9qzbYS4ZQgYsDBJvDLt9XAZDopPRwy7rDcZQKy/h5KjO26+SW2x
Ppg1PS8bDHqBQ+Gu1YmAhQKihHNtzYXEklrAiYwaklIakWq56mCA0dIEGuij6WmP
F6vZs54hLATHHUIQaZzylKnlpAYHCml3X7iYTcqRKiuIbr35Dt5ubFd/GJfadsxG
ucnhHwIoCoWqrGlRkfaYOSeuuGbaGtdJbpeAbWHRFYJHrATcBxXi81PZanEnyNiB
D8+1i/qFOwltYkVcPoBDd4swmVYh4OXJTJ/o6ITVvk+HgwMfPhlI8QFUT/tWed3W
6bF/LIzzSDwp4VnWKFLZb0BdLP2jBe5U9NdVirCufK4SkWkW8RU8ZRjRqXJZPrFM
qtFu4QKTaS1LhtYavj3RkUQn1eB/O7f2qLepaM9dadfGfcLwubQbN03sKGFH1Lp1
QsxKccyUot+V4cJNvTRDPj8vzr0S8Qe9E85y7Oak2blIQOLhUMaZduo/lRm12gyy
E6iJIj0GCJ8=
=ahmj
-----END PGP SIGNATURE-----
pgpjGyImhPeXq.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
