Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package jettison for openSUSE:Factory
checked in at 2023-04-19 17:42:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jettison (Old)
and /work/SRC/openSUSE:Factory/.jettison.new.2023 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jettison"
Wed Apr 19 17:42:45 2023 rev:6 rq:1080162 version:1.5.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/jettison/jettison.changes 2022-12-15
19:25:11.156049729 +0100
+++ /work/SRC/openSUSE:Factory/.jettison.new.2023/jettison.changes
2023-04-19 17:42:48.924137207 +0200
@@ -1,0 +2,9 @@
+Tue Apr 18 15:26:38 UTC 2023 - Fridrich Strba <fst...@suse.com>
+
+- Upgrade to version 1.5.4
+ * Fixes:
+ + Fixing issue 60: Infinite recursion triggered when
+ constructing a JSONArray from a Collection (bsc#1209605,
+ CVE-2023-1436)
+
+-------------------------------------------------------------------
Old:
----
jettison-1.5.3.tar.gz
New:
----
jettison-1.5.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jettison.spec ++++++
--- /var/tmp/diff_new_pack.KxggVN/_old 2023-04-19 17:42:50.312145271 +0200
+++ /var/tmp/diff_new_pack.KxggVN/_new 2023-04-19 17:42:50.316145294 +0200
@@ -1,7 +1,7 @@
#
# spec file for package jettison
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: jettison
-Version: 1.5.3
+Version: 1.5.4
Release: 0
Summary: A JSON StAX implementation
License: Apache-2.0
++++++ jettison-1.5.3.tar.gz -> jettison-1.5.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jettison-jettison-1.5.3/pom.xml
new/jettison-jettison-1.5.4/pom.xml
--- old/jettison-jettison-1.5.3/pom.xml 2022-12-07 00:20:44.000000000 +0100
+++ new/jettison-jettison-1.5.4/pom.xml 2023-03-14 12:51:46.000000000 +0100
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
- <version>1.5.3</version>
+ <version>1.5.4</version>
<packaging>bundle</packaging>
<name>Jettison</name>
<description>A StAX implementation for JSON.</description>
@@ -31,7 +31,7 @@
<connection>scm:git:http://github.com/jettison-json/jettison.git</connection>
<developerConnection>scm:git:https://github.com/jettison-json/jettison.git</developerConnection>
<url>https://github.com/jettison-json/jettison</url>
- <tag>jettison-1.5.3</tag>
+ <tag>jettison-1.5.4</tag>
</scm>
<distributionManagement>
<snapshotRepository>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/jettison-jettison-1.5.3/src/main/java/org/codehaus/jettison/json/JSONArray.java
new/jettison-jettison-1.5.4/src/main/java/org/codehaus/jettison/json/JSONArray.java
---
old/jettison-jettison-1.5.3/src/main/java/org/codehaus/jettison/json/JSONArray.java
2022-12-07 00:20:44.000000000 +0100
+++
new/jettison-jettison-1.5.4/src/main/java/org/codehaus/jettison/json/JSONArray.java
2023-03-14 12:51:46.000000000 +0100
@@ -182,22 +182,30 @@
* @throws JSONException If there is a syntax error.
*/
public JSONArray(Collection collection) throws JSONException {
+ this(collection, 0);
+ }
+
+ private JSONArray(Collection collection, int recursionDepth) throws
JSONException {
+ if (recursionDepth > JSONObject.getGlobalRecursionDepthLimit()) {
+ throw new JSONException("JSONArray has reached recursion depth
limit of "
+ + JSONObject.getGlobalRecursionDepthLimit());
+ }
+
this.myArrayList = (collection == null) ?
new ArrayList() :
new ArrayList(collection);
// ensure a pure hierarchy of JSONObjects and JSONArrays
for (ListIterator iter = myArrayList.listIterator(); iter.hasNext();) {
- Object e = iter.next();
- if (e instanceof Collection) {
- iter.set(new JSONArray((Collection) e));
- }
- if (e instanceof Map) {
- iter.set(new JSONObject((Map) e));
- }
- }
+ Object e = iter.next();
+ if (e instanceof Collection) {
+ iter.set(new JSONArray((Collection) e, recursionDepth + 1));
+ }
+ if (e instanceof Map) {
+ iter.set(new JSONObject((Map) e));
+ }
+ }
}
-
/**
* Get the object value associated with an index.
* @param index
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/jettison-jettison-1.5.3/src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
new/jettison-jettison-1.5.4/src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
---
old/jettison-jettison-1.5.3/src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
2022-12-07 00:20:44.000000000 +0100
+++
new/jettison-jettison-1.5.4/src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
2023-03-14 12:51:46.000000000 +0100
@@ -2,6 +2,9 @@
import junit.framework.TestCase;
+import java.util.ArrayList;
+import java.util.List;
+
public class JSONArrayTest extends TestCase {
public void testInvalidArraySequence() throws Exception {
try {
@@ -67,6 +70,18 @@
public void testIssue52() throws JSONException {
JSONObject.setGlobalRecursionDepthLimit(10);
new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]");
+ JSONObject.setGlobalRecursionDepthLimit(500);
+ }
+
+ // https://github.com/jettison-json/jettison/issues/60
+ public void testIssue60() throws JSONException {
+ List<Object> list = new ArrayList<>();
+ list.add(list);
+ try {
+ new JSONArray(list);
+ } catch (JSONException ex) {
+ assertEquals(ex.getMessage(), "JSONArray has reached recursion
depth limit of 500");
+ }
}
}
