Bug#1074090: marked as done (bullseye-pu: package cjson/1.7.14-1+deb11u1)

Sat, 31 Aug 2024 04:34:37 -0700 

Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id 
<27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1074090,
regarding bullseye-pu: package cjson/1.7.14-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1074090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074090
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: cj...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
CVE-2023-50472, CVE-2023-50471, CVE-2024-31755

[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).

[ Tests ]
Upstream's tests continue to pass, and they have also added new tests to cover
the first two CVEs.

[ Risks ]
Patches are minimal, no change to API.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Backport patch to add NULL checks to cJSON_SetValuestring and
    cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
    (Closes: #1059287, #1071742)

[ Other info ]
Security team have marked these security bugs as no-dsa.

-- 
Maytham Alsudany
Debian Maintainer

maytham @ OFTC
maytha8 @ Libera

diff -Nru cjson-1.7.14/debian/changelog cjson-1.7.14/debian/changelog
--- cjson-1.7.14/debian/changelog	2020-09-06 22:48:14.000000000 +0800
+++ cjson-1.7.14/debian/changelog	2024-06-23 15:27:49.000000000 +0800
@@ -1,3 +1,12 @@
+cjson (1.7.14-1+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport patch to add NULL checks to cJSON_SetValuestring and
+    cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
+    (Closes: #1059287, #1071742)
+
+ -- Maytham Alsudany <maytha8the...@gmail.com>  Sun, 23 Jun 2024 15:27:49 +0800
+
 cjson (1.7.14-1) unstable; urgency=medium
 
   * New upstream release 1.7.14.
diff -Nru cjson-1.7.14/debian/gbp.conf cjson-1.7.14/debian/gbp.conf
--- cjson-1.7.14/debian/gbp.conf	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/gbp.conf	2024-06-23 14:56:13.000000000 +0800
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bullseye
diff -Nru cjson-1.7.14/debian/patches/0001-add-null-checkings.patch cjson-1.7.14/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.14/debian/patches/0001-add-null-checkings.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/0001-add-null-checkings.patch	2024-06-23 14:56:05.000000000 +0800
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee <peter...@apache.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany <maytha8the...@gmail.com>
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -397,7 +397,12 @@
+ {
+     char *copy = NULL;
+     /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    {
++        return NULL;
++    }
++    /* return NULL if the object is corrupted */
++    if (object->valuestring == NULL)
+     {
+         return NULL;
+     }
+@@ -2258,7 +2263,7 @@
+ {
+     cJSON *after_inserted = NULL;
+ 
+-    if (which < 0)
++    if (which < 0 || newitem == NULL)
+     {
+         return false;
+     }
+@@ -2269,6 +2274,11 @@
+         return add_item_to_array(array, newitem);
+     }
+ 
++    if (after_inserted != array->child && newitem->prev == NULL) {
++        /* return false if after_inserted is a corrupted array item */
++        return false;
++    }
++
+     newitem->next = after_inserted;
+     newitem->prev = after_inserted->prev;
+     after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+     char buffer[10];
+     cJSON *item = cJSON_CreateString("item");
++    cJSON *array = cJSON_CreateArray();
++    cJSON *item1 = cJSON_CreateString("item1");
++    cJSON *item2 = cJSON_CreateString("corrupted array item3");
++    cJSON *corruptedString = cJSON_CreateString("corrupted");
++    struct cJSON *originalPrev;
++
++    add_item_to_array(array, item1);
++    add_item_to_array(array, item2);
++
++    originalPrev = item2->prev;
++    item2->prev = NULL;
++    free(corruptedString->valuestring);
++    corruptedString->valuestring = NULL;
+ 
+     cJSON_InitHooks(NULL);
+     TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+     cJSON_DeleteItemFromObject(item, NULL);
+     cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+     cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+     TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@
+     TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+     TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+     cJSON_Minify(NULL);
+     /* skipped because it is only used via a macro that checks for NULL */
+     /* cJSON_SetNumberHelper(NULL, 0); */
+ 
++    /* restore corrupted item2 to delete it */
++    item2->prev = originalPrev;
++    cJSON_Delete(corruptedString);
++    cJSON_Delete(array);
+     cJSON_Delete(item);
+ }
+ 
diff -Nru cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch
--- cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	2024-06-23 14:56:05.000000000 +0800
@@ -0,0 +1,23 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+From: Up-wind <lj.upw...@gmail.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/839
+Bug-Debian: https://bugs.debian.org/1071742
+Acked-by: Maytham Alsudany <maytha8the...@gmail.com>
+Subject: [PATCH] Add NULL check to cJSON_SetValuestring()
+ If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer
+ dereference will happen. This patch adds the NULL check of valuestring before
+ it is dereferenced.
+ .
+ Fix for CVE-2024-31755.
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -402,7 +402,7 @@
+         return NULL;
+     }
+     /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
diff -Nru cjson-1.7.14/debian/patches/series cjson-1.7.14/debian/patches/series
--- cjson-1.7.14/debian/patches/series	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/series	2024-06-23 14:53:00.000000000 +0800
@@ -0,0 +1,2 @@
+0001-add-null-checkings.patch
+0002-add-null-check-to-cjson-setvaluestring.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.11

Hi,

Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.

Regards,

Adam

--- End Message ---

Reply via email to