Your message dated Sat, 29 Jun 2024 10:46:18 +0000
with message-id <e1snvb0-002bdi...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1068633,
regarding bookworm-pu: package cjson/1.7.15-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cj...@packages.debian.org
Control: affects -1 + src:cjson
[ Reason ]
CVE-2023-50472, CVE-2023-50471
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
[ Tests ]
Upstream's test continue to pass, and they have also added new tests to
cover this security issue.
[ Risks ]
Minimal, no change to API. Only minimal changes were made to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Set myself as Maintainer (I am adopting the package, #1067510)
- Bump Standards-Version to 4.6.2
- Add Build-Depends-Package to symbools
- Backport upstream's patch to 'add NULL checkings'.
Upstream adds a few more if statements to avoid the segmentation
fault, and thus resolve the security vulnerability.
[ Other info ]
If you can spare the time, could you please upload this for me? (I need
a sponsor, #1068624.) I'm also still waiting for someone to give me
access to the Salsa repo.
Thanks,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300
@@ -1,3 +1,13 @@
+cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
+
+ * Update Maintainer field
+ * Bump Standards-Version to 4.6.2 (no changes)
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+ (Closes: #1059287)
+ * Add Build-Depends-Package to symbols
+
+ -- Maytham Alsudany <maytha8the...@gmail.com> Wed, 03 Apr 2024 06:57:10 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control
--- cjson-1.7.15/debian/control 2021-08-29 23:29:57.000000000 +0300
+++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.000000000 +0300
@@ -1,10 +1,10 @@
Source: cjson
Section: libs
Priority: optional
-Maintainer: Boyuan Yang <by...@debian.org>
+Maintainer: Maytham Alsudany <maytha8the...@gmail.com>
Build-Depends: cmake, debhelper-compat (= 13)
Rules-Requires-Root: no
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/DaveGamble/cJSON
Vcs-Git: https://salsa.debian.org/debian/cjson.git
Vcs-Browser: https://salsa.debian.org/debian/cjson
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-03 06:56:58.000000000 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/libcjson1.symbols
cjson-1.7.15/debian/libcjson1.symbols
--- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.000000000
+0300
+++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.000000000
+0300
@@ -1,4 +1,5 @@
libcjson.so.1 libcjson1 #MINVER#
+* Build-Depends-Package: libcjson-dev
cJSON_AddArrayToObject@Base 1.7.5
cJSON_AddBoolToObject@Base 1.7.5
cJSON_AddFalseToObject@Base 1.7.5
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01
03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03
06:51:36.000000000 +0300
@@ -0,0 +1,101 @@
+Origin: backport,
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee <peter...@apache.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany <maytha8the...@gmail.com>
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it
should not set valuestring */
+- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type &
cJSON_IsReference))
++ {
++ return NULL;
++ }
++ /* return NULL if the object is corrupted */
++ if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+- if (which < 0)
++ if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++ if (after_inserted != array->child && newitem->prev == NULL) {
++ /* return false if after_inserted is a corrupted array item */
++ return false;
++ }
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++ cJSON *array = cJSON_CreateArray();
++ cJSON *item1 = cJSON_CreateString("item1");
++ cJSON *item2 = cJSON_CreateString("corrupted array item3");
++ cJSON *corruptedString = cJSON_CreateString("corrupted");
++ struct cJSON *originalPrev;
++
++ add_item_to_array(array, item1);
++ add_item_to_array(array, item2);
++
++ originalPrev = item2->prev;
++ item2->prev = NULL;
++ free(corruptedString->valuestring);
++ corruptedString->valuestring = NULL;
+
+ cJSON_InitHooks(NULL);
+ TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+ cJSON_DeleteItemFromObject(item, NULL);
+ cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+ cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@
+ TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+ TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+ TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+ cJSON_Minify(NULL);
+ /* skipped because it is only used via a macro that checks for NULL */
+ /* cJSON_SetNumberHelper(NULL, 0); */
+
++ /* restore corrupted item2 to delete it */
++ item2->prev = originalPrev;
++ cJSON_Delete(corruptedString);
++ cJSON_Delete(array);
+ cJSON_Delete(item);
+ }
+
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/series 2024-04-03 06:40:03.000000000 +0300
@@ -0,0 +1 @@
+0001-add-null-checkings.patch
--- End Message ---
--- Begin Message ---
Version: 12.6
The upload requested in this bug has been released as part of 12.6.
--- End Message ---
