Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: libfastj...@packages.debian.org, bi...@debian.org Control: affects -1 + libfastjson
Please unblock package libfastjson A new upstream version of libfastjson fixes a security bug (CVE-2020-12762, #1035302). They also changed the release numbering, hence the seemingly huge jump, but the actual diff is quite small. [ Reason ] "Prevent signed integer overflows with large buffers", as upstream states inline, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302>. [ Impact ] Without this change the above vulnerability remains. However, according to upstream rsyslog - the main and almost sole user of this library - was not affected anyways due to size limits. [ Tests ] There is some coverage via upstream's tests/test_printbuf.c that is run during build time. The code in question is also tested in json-c, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. [ Risks ] Via rsyslog this library is a key package. However, the new code merely adds some straightforward checks against signed integer overflows, which are already part of json-c in buster, bullseye, bookworm, and sid, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. The new libfastjson release has entered unstable 18 days ago, and so far no bugs seem to have surfaced due to this change. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them (disclaimer below) [x] attach debdiff against the package in testing I am not the package maintainer but merely the bug submitter. However, Michael expressed he wouldn't object if I want to pursue this, cf. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302#19>. unblock libfastjson/1.2304.0-1
diff -Nru libfastjson-0.99.9/ChangeLog libfastjson-1.2304.0/ChangeLog --- libfastjson-0.99.9/ChangeLog 2021-01-25 13:52:55.000000000 +0100 +++ libfastjson-1.2304.0/ChangeLog 2023-04-17 15:51:20.000000000 +0200 @@ -1,3 +1,8 @@ +1.2304.0, 2023-04-18 +- change of release number scheme, now like rsyslog +- fix Fix CVE-2020-12762 + Note: the CVE did not affect rsyslog use due to size limits + Thanks to Wang Haitao for the patch. 0.99.9 2021-01-26 - add API fjson_object_get_uint() Thanks to Janmejay Singh for contributing the patch. diff -Nru libfastjson-0.99.9/configure libfastjson-1.2304.0/configure --- libfastjson-0.99.9/configure 2021-01-25 13:53:09.000000000 +0100 +++ libfastjson-1.2304.0/configure 2023-04-17 15:54:00.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9. +# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0. # # Report bugs to <rsys...@lists.adiscon.com>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='libfastjson' PACKAGE_TARNAME='libfastjson' -PACKAGE_VERSION='0.99.9' -PACKAGE_STRING='libfastjson 0.99.9' +PACKAGE_VERSION='1.2304.0' +PACKAGE_STRING='libfastjson 1.2304.0' PACKAGE_BUGREPORT='rsys...@lists.adiscon.com' PACKAGE_URL='' @@ -1336,7 +1336,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems. +\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1407,7 +1407,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libfastjson 0.99.9:";; + short | recursive ) echo "Configuration of libfastjson 1.2304.0:";; esac cat <<\_ACEOF @@ -1525,7 +1525,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libfastjson configure 0.99.9 +libfastjson configure 1.2304.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1948,7 +1948,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libfastjson $as_me 0.99.9, which was +It was created by libfastjson $as_me 1.2304.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2838,7 +2838,7 @@ # Define the identity of the package. PACKAGE='libfastjson' - VERSION='0.99.9' + VERSION='1.2304.0' cat >>confdefs.h <<_ACEOF @@ -15280,7 +15280,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libfastjson $as_me 0.99.9, which was +This file was extended by libfastjson $as_me 1.2304.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15346,7 +15346,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libfastjson config.status 0.99.9 +libfastjson config.status 1.2304.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libfastjson-0.99.9/configure.ac libfastjson-1.2304.0/configure.ac --- libfastjson-0.99.9/configure.ac 2021-01-25 13:52:55.000000000 +0100 +++ libfastjson-1.2304.0/configure.ac 2023-04-17 15:53:41.000000000 +0200 @@ -1,7 +1,7 @@ AC_PREREQ(2.52) # Process this file with autoconf to produce a configure script. -AC_INIT([libfastjson], [0.99.9], [rsys...@lists.adiscon.com]) +AC_INIT([libfastjson], [1.2304.0], [rsys...@lists.adiscon.com]) # AIXPORT START: Detect the underlying OS unamestr=$(uname) AM_CONDITIONAL([AIX], [test x$unamestr = xAIX]) diff -Nru libfastjson-0.99.9/debian/changelog libfastjson-1.2304.0/debian/changelog --- libfastjson-0.99.9/debian/changelog 2022-09-02 13:02:31.000000000 +0200 +++ libfastjson-1.2304.0/debian/changelog 2023-05-03 12:48:03.000000000 +0200 @@ -1,3 +1,13 @@ +libfastjson (1.2304.0-1) unstable; urgency=medium + + * New upstream version 1.2304.0 + - Fixes integer overflow and out-of-bounds write via a large JSON file. + This issue was originally found in the json-c library. + (CVE-2020-12762, Closes: #1035302) + * Bump Standards-Version to 4.6.2 + + -- Michael Biebl <bi...@debian.org> Wed, 03 May 2023 12:48:03 +0200 + libfastjson (0.99.9-2) unstable; urgency=medium * Enable all hardening build flags diff -Nru libfastjson-0.99.9/debian/control libfastjson-1.2304.0/debian/control --- libfastjson-0.99.9/debian/control 2022-09-02 13:02:31.000000000 +0200 +++ libfastjson-1.2304.0/debian/control 2023-05-03 12:48:03.000000000 +0200 @@ -4,7 +4,7 @@ Maintainer: Michael Biebl <bi...@debian.org> Build-Depends: debhelper-compat (= 13), pkg-config -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/libfastjson.git Vcs-Browser: https://salsa.debian.org/debian/libfastjson diff -Nru libfastjson-0.99.9/printbuf.c libfastjson-1.2304.0/printbuf.c --- libfastjson-0.99.9/printbuf.c 2021-01-25 13:00:57.000000000 +0100 +++ libfastjson-1.2304.0/printbuf.c 2023-03-30 11:53:47.000000000 +0200 @@ -13,6 +13,7 @@ #include "config.h" +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -68,9 +69,16 @@ if (p->size >= min_size) return 0; - new_size = p->size * 2; - if (new_size < min_size + 8) - new_size = min_size + 8; + /* Prevent signed integer overflows with large buffers. */ + if (min_size > INT_MAX - 8) + return -1; + if (p->size > INT_MAX / 2) + new_size = min_size + 8; + else { + new_size = p->size * 2; + if (new_size < min_size + 8) + new_size = min_size + 8; + } #ifdef PRINTBUF_DEBUG MC_DEBUG("printbuf_memappend: realloc " "bpos=%d min_size=%d old_size=%d new_size=%d\n", @@ -85,6 +93,9 @@ int printbuf_memappend(struct printbuf *p, const char *buf, int size) { + /* Prevent signed integer overflows with large buffers. */ + if (size > INT_MAX - p->bpos - 1) + return -1; if (p->size <= p->bpos + size + 1) { if (printbuf_extend(p, p->bpos + size + 1) < 0) return -1; @@ -136,6 +147,9 @@ if (offset == -1) offset = pb->bpos; + /* Prevent signed integer overflows with large buffers. */ + if (len > INT_MAX - offset) + return -1; size_needed = offset + len; if (pb->size < size_needed) {
signature.asc
Description: PGP signature