Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jawn for openSUSE:Factory checked in at 2022-01-08 23:23:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jawn (Old) and /work/SRC/openSUSE:Factory/.jawn.new.1892 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jawn" Sat Jan 8 23:23:43 2022 rev:2 rq:944814 version:0.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/jawn/jawn.changes 2019-12-10 22:41:40.117825912 +0100 +++ /work/SRC/openSUSE:Factory/.jawn.new.1892/jawn.changes 2022-01-08 23:24:26.846272208 +0100 @@ -1,0 +2,7 @@ +Fri Jan 7 10:46:23 UTC 2022 - Pedro Monreal <pmonr...@suse.com> + +- Security fix: [bsc#1194358, CVE-2022-21653] + * DoS caused by a hash collision in SimpleFacade and MutableFacade + * Add jawn-CVE-2022-21653.patch + +------------------------------------------------------------------- New: ---- jawn-CVE-2022-21653.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jawn.spec ++++++ --- /var/tmp/diff_new_pack.rwyoM5/_old 2022-01-08 23:24:27.394272655 +0100 +++ /var/tmp/diff_new_pack.rwyoM5/_new 2022-01-08 23:24:27.398272659 +0100 @@ -1,7 +1,7 @@ # # spec file for package jawn # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,8 @@ Source101: https://repo1.maven.org/maven2/org/typelevel/%{name}-parser_%{scala_version}/%{version}/%{name}-parser_%{scala_version}-%{version}.pom Source102: https://repo1.maven.org/maven2/org/typelevel/%{name}-util_%{scala_version}/%{version}/%{name}-util_%{scala_version}-%{version}.pom Source103: https://repo1.maven.org/maven2/org/typelevel/%{name}-json4s_%{scala_version}/%{version}/%{name}-json4s_%{scala_version}-%{version}.pom +#PATCH-FIX-UPSTREAM bsc#1194358 CVE-2022-21653: DoS caused by a hash collision +Patch0: jawn-CVE-2022-21653.patch BuildRequires: ant-scala BuildRequires: javapackages-local BuildRequires: json4s-jackson @@ -83,7 +85,7 @@ This package contains support to parse to json4s AST. %prep -%setup -q -a1 +%autosetup -a1 -p1 %{mvn_package} :%{name}-{*}_%{scala_version} @1 ++++++ jawn-CVE-2022-21653.patch ++++++ Index: jawn-0.14.1/parser/src/main/scala/jawn/MutableFacade.scala =================================================================== --- jawn-0.14.1.orig/parser/src/main/scala/jawn/MutableFacade.scala +++ jawn-0.14.1/parser/src/main/scala/jawn/MutableFacade.scala @@ -1,6 +1,8 @@ package org.typelevel.jawn import scala.collection.mutable +import scala.collection.JavaConverters._ +import java.util.HashMap trait MutableFacade[J] extends Facade[J] { def jarray(vs: mutable.ArrayBuffer[J]): J @@ -24,7 +26,7 @@ trait MutableFacade[J] extends Facade[J] def objectContext() = new FContext[J] { var key: String = null - val vs = mutable.Map.empty[String, J] + val vs = (new HashMap[String, J]).asScala def add(s: CharSequence): Unit = if (key == null) { key = s.toString } else { vs(key) = jstring(s); key = null } def add(v: J): Unit = Index: jawn-0.14.1/parser/src/main/scala/jawn/SimpleFacade.scala =================================================================== --- jawn-0.14.1.orig/parser/src/main/scala/jawn/SimpleFacade.scala +++ jawn-0.14.1/parser/src/main/scala/jawn/SimpleFacade.scala @@ -1,6 +1,8 @@ package org.typelevel.jawn import scala.collection.mutable +import scala.collection.immutable.TreeMap +import scala.collection.JavaConverters._ /** * Facade is a type class that describes how Jawn should construct @@ -31,7 +33,7 @@ trait SimpleFacade[J] extends Facade[J] def objectContext() = new FContext[J] { var key: String = null - var vs = Map.empty[String, J] + var vs = TreeMap.empty[String, J] def add(s: CharSequence): Unit = if (key == null) { key = s.toString } else { vs = vs.updated(key, jstring(s)); key = null } def add(v: J): Unit =