Bug#980268: buster-pu: cjson/1.7.10-1.1+deb10u1

[Boyuan Yang <byang@debian.org>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu


Dear Release Team,

I intend to fix https://bugs.debian.org/973442 in Buster. Under some
circumstances, the user input will cause an infinite loop in libcjson
library. This is a regression introduced by the patch of CVE-2019-11835
and was fixed in cjson/1.7.12. Currently Buster has 1.7.10-1.1. Sid and
Testing has 1.7.14 so Testing/Sid are not affected by this bug.

This upload cherry-picks a commit provided by upstream as well as
corresponding testsuite. The full debdiff is in the attachment.

Thanks and please let me know if you have any questions.

Regards,
Boyuan Yang

diff -Nru cjson-1.7.10/debian/changelog cjson-1.7.10/debian/changelog
--- cjson-1.7.10/debian/changelog	2019-05-14 04:52:20.000000000 -0400
+++ cjson-1.7.10/debian/changelog	2021-01-16 17:33:31.000000000 -0500
@@ -1,3 +1,11 @@
+cjson (1.7.10-1.1+deb10u1) buster; urgency=medium
+
+  * Cherry pick upstream commit 08d2bc766a82cd75764d036f9efef444590d1cf9,
+    which fixes an infinite loop regression introduced in the previous
+    patch. (Closes: #973442)
+
+ -- Boyuan Yang <byang@debian.org>  Sat, 16 Jan 2021 17:33:31 -0500
+
 cjson (1.7.10-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cjson-1.7.10/debian/patches/08d2bc766a82cd75764d036f9efef444590d1cf9.patch cjson-1.7.10/debian/patches/08d2bc766a82cd75764d036f9efef444590d1cf9.patch
--- cjson-1.7.10/debian/patches/08d2bc766a82cd75764d036f9efef444590d1cf9.patch	1969-12-31 19:00:00.000000000 -0500
+++ cjson-1.7.10/debian/patches/08d2bc766a82cd75764d036f9efef444590d1cf9.patch	2021-01-16 17:33:24.000000000 -0500
@@ -0,0 +1,50 @@
+From 08d2bc766a82cd75764d036f9efef444590d1cf9 Mon Sep 17 00:00:00 2001
+From: Max Bruckner <max@maxbruckner.de>
+Date: Thu, 16 May 2019 20:01:02 +0200
+Subject: [PATCH] Fix infinite loop in cJSON_Minify
+
+Bug-Debian: https://bugs.debian.org/973442
+Applied-Upstream: https://github.com/DaveGamble/cJSON/commit/08d2bc766a82cd75764d036f9efef444590d1cf9
+---
+ cJSON.c              | 2 ++
+ tests/minify_tests.c | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 3a5dc547..f9c2ffa5 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -2717,6 +2717,8 @@ CJSON_PUBLIC(void) cJSON_Minify(char *json)
+                 else if (json[1] == '*')
+                 {
+                     skip_multiline_comment(&json);
++                } else {
++                    json++;
+                 }
+                 break;
+ 
+diff --git a/tests/minify_tests.c b/tests/minify_tests.c
+index e39a9446..000821db 100644
+--- a/tests/minify_tests.c
++++ b/tests/minify_tests.c
+@@ -152,6 +152,12 @@ static void cjson_minify_should_minify_json(void) {
+     free(buffer);
+ }
+ 
++static void cjson_minify_should_not_loop_infinitely(void) {
++    char string[] = { '8', ' ', '/', ' ', '5', '\n', '\0' };
++    /* this should not be an infinite loop */
++    cJSON_Minify(string);
++}
++
+ int CJSON_CDECL main(void)
+ {
+     UNITY_BEGIN();
+@@ -162,6 +168,7 @@ int CJSON_CDECL main(void)
+     RUN_TEST(cjson_minify_should_remove_multiline_comments);
+     RUN_TEST(cjson_minify_should_remove_spaces);
+     RUN_TEST(cjson_minify_should_not_modify_strings);
++    RUN_TEST(cjson_minify_should_not_loop_infinitely);
+ 
+     return UNITY_END();
+ }
diff -Nru cjson-1.7.10/debian/patches/series cjson-1.7.10/debian/patches/series
--- cjson-1.7.10/debian/patches/series	2019-05-14 04:52:20.000000000 -0400
+++ cjson-1.7.10/debian/patches/series	2021-01-16 17:32:41.000000000 -0500
@@ -1 +1,2 @@
 0001-PATCH-Rewrite-cJSON_Minify-fixing-buffer-overflows-f.patch
+08d2bc766a82cd75764d036f9efef444590d1cf9.patch

Attachment: signature.asc
Description: This is a digitally signed message part