Your message dated Sat, 31 Aug 2024 12:30:55 +0100 with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk> and subject line Closing bugs for 11.11 has caused the Debian Bug report #1074090, regarding bullseye-pu: package cjson/1.7.14-1+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1074090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Control: affects -1 + src:cjson X-Debbugs-Cc: cj...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bullseye Severity: normal [ Reason ] CVE-2023-50472, CVE-2023-50471, CVE-2024-31755 [ Impact ] Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c Segmentation violation via the cJSON_SetValuestring function. If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen, which can potentially cause denial of service (DOS). [ Tests ] Upstream's tests continue to pass, and they have also added new tests to cover the first two CVEs. [ Risks ] Patches are minimal, no change to API. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Backport patch to add NULL checks to cJSON_SetValuestring and cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755) (Closes: #1059287, #1071742) [ Other info ] Security team have marked these security bugs as no-dsa. -- Maytham Alsudany Debian Maintainer maytham @ OFTC maytha8 @ Liberadiff -Nru cjson-1.7.14/debian/changelog cjson-1.7.14/debian/changelog --- cjson-1.7.14/debian/changelog 2020-09-06 22:48:14.000000000 +0800 +++ cjson-1.7.14/debian/changelog 2024-06-23 15:27:49.000000000 +0800 @@ -1,3 +1,12 @@ +cjson (1.7.14-1+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Backport patch to add NULL checks to cJSON_SetValuestring and + cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755) + (Closes: #1059287, #1071742) + + -- Maytham Alsudany <maytha8the...@gmail.com> Sun, 23 Jun 2024 15:27:49 +0800 + cjson (1.7.14-1) unstable; urgency=medium * New upstream release 1.7.14. diff -Nru cjson-1.7.14/debian/gbp.conf cjson-1.7.14/debian/gbp.conf --- cjson-1.7.14/debian/gbp.conf 1970-01-01 08:00:00.000000000 +0800 +++ cjson-1.7.14/debian/gbp.conf 2024-06-23 14:56:13.000000000 +0800 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bullseye diff -Nru cjson-1.7.14/debian/patches/0001-add-null-checkings.patch cjson-1.7.14/debian/patches/0001-add-null-checkings.patch --- cjson-1.7.14/debian/patches/0001-add-null-checkings.patch 1970-01-01 08:00:00.000000000 +0800 +++ cjson-1.7.14/debian/patches/0001-add-null-checkings.patch 2024-06-23 14:56:05.000000000 +0800 @@ -0,0 +1,101 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 +From: Peter Alfred Lee <peter...@apache.com> +Bug: https://github.com/DaveGamble/cJSON/issues/803 +Bug: https://github.com/DaveGamble/cJSON/issues/802 +Bug-Debian: https://bugs.debian.org/1059287 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] add NULL checkings (#809) + * add NULL checks in cJSON_SetValuestring + Fixes #803(CVE-2023-50472) + . + * add NULL check in cJSON_InsertItemInArray + Fixes #802(CVE-2023-50471) + . + * add tests for NULL checks + add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring + +--- a/cJSON.c ++++ b/cJSON.c +@@ -397,7 +397,12 @@ + { + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ +- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ { ++ return NULL; ++ } ++ /* return NULL if the object is corrupted */ ++ if (object->valuestring == NULL) + { + return NULL; + } +@@ -2258,7 +2263,7 @@ + { + cJSON *after_inserted = NULL; + +- if (which < 0) ++ if (which < 0 || newitem == NULL) + { + return false; + } +@@ -2269,6 +2274,11 @@ + return add_item_to_array(array, newitem); + } + ++ if (after_inserted != array->child && newitem->prev == NULL) { ++ /* return false if after_inserted is a corrupted array item */ ++ return false; ++ } ++ + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -353,6 +353,19 @@ + { + char buffer[10]; + cJSON *item = cJSON_CreateString("item"); ++ cJSON *array = cJSON_CreateArray(); ++ cJSON *item1 = cJSON_CreateString("item1"); ++ cJSON *item2 = cJSON_CreateString("corrupted array item3"); ++ cJSON *corruptedString = cJSON_CreateString("corrupted"); ++ struct cJSON *originalPrev; ++ ++ add_item_to_array(array, item1); ++ add_item_to_array(array, item2); ++ ++ originalPrev = item2->prev; ++ item2->prev = NULL; ++ free(corruptedString->valuestring); ++ corruptedString->valuestring = NULL; + + cJSON_InitHooks(NULL); + TEST_ASSERT_NULL(cJSON_Parse(NULL)); +@@ -412,6 +425,8 @@ + cJSON_DeleteItemFromObject(item, NULL); + cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item"); + cJSON_DeleteItemFromObjectCaseSensitive(item, NULL); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL)); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL)); + TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item)); +@@ -428,10 +443,16 @@ + TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true)); + TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false)); + TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); + cJSON_Minify(NULL); + /* skipped because it is only used via a macro that checks for NULL */ + /* cJSON_SetNumberHelper(NULL, 0); */ + ++ /* restore corrupted item2 to delete it */ ++ item2->prev = originalPrev; ++ cJSON_Delete(corruptedString); ++ cJSON_Delete(array); + cJSON_Delete(item); + } + diff -Nru cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch --- cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 1970-01-01 08:00:00.000000000 +0800 +++ cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 2024-06-23 14:56:05.000000000 +0800 @@ -0,0 +1,23 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 +From: Up-wind <lj.upw...@gmail.com> +Bug: https://github.com/DaveGamble/cJSON/issues/839 +Bug-Debian: https://bugs.debian.org/1071742 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] Add NULL check to cJSON_SetValuestring() + If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer + dereference will happen. This patch adds the NULL check of valuestring before + it is dereferenced. + . + Fix for CVE-2024-31755. + +--- a/cJSON.c ++++ b/cJSON.c +@@ -402,7 +402,7 @@ + return NULL; + } + /* return NULL if the object is corrupted */ +- if (object->valuestring == NULL) ++ if (object->valuestring == NULL || valuestring == NULL) + { + return NULL; + } diff -Nru cjson-1.7.14/debian/patches/series cjson-1.7.14/debian/patches/series --- cjson-1.7.14/debian/patches/series 1970-01-01 08:00:00.000000000 +0800 +++ cjson-1.7.14/debian/patches/series 2024-06-23 14:53:00.000000000 +0800 @@ -0,0 +1,2 @@ +0001-add-null-checkings.patch +0002-add-null-check-to-cjson-setvaluestring.patchsignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.11 Hi, Each of these bugs relates to an update including in today's final bullseye 11.11 point release. Regards, Adam
--- End Message ---