Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Bastien Roucariès <rouca@debian.org>
Control: affects -1 + src:json-smart
Control: block 1039985 with -1
Control: block 1033474 with -1
[ Reason ]
Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
causing version skew on upgrades:
json-smart | 2.2-1 | stretch | source
json-smart | 2.2-2 | buster | source
json-smart | 2.2-2 | bullseye | source
json-smart | 2.2-2 | bookworm | source
json-smart | 2.2-2 | trixie | source
json-smart | 2.2-2 | sid | source
json-smart | 2.2-2+deb10u1 | buster-security | source
[ Impact ]
Unfixed CVEs.
Versions going backward and confusing QA tools.
[ Tests ]
Build-time testsuite contains a new test.
[ Risks ]
Fixed version in buster-lts for one year already.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
NMU in DELAYED
[ Changes ]
debian/changelog | 33 +++++
debian/control | 4 +-
.../patches/0004-CVE-2021-31684-Fix-indexOf.patch | 27 ++++
...70-stack-overflow-due-to-excessive-recurs.patch | 156 +++++++++++++++++++++
debian/patches/01-bundle-dependencies.patch | 15 +-
debian/patches/02-ignore-failing-tests.patch | 16 ++-
debian/patches/series | 2 +
7 files changed, 244 insertions(+), 9 deletions(-)
json-smart (2.2-2+deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
* Rebuild for bookworm. (Closes: #1039985)
-- Andreas Beckmann <anbe@debian.org> Tue, 09 Apr 2024 10:01:36 +0200
json-smart (2.2-2+deb11u1) bullseye; urgency=medium
* Non-maintainer upload.
* Update Vcs-* URLs to point to salsa.debian.org.
* Rebuild for bullseye. (Closes: #1039985)
-- Andreas Beckmann <anbe@debian.org> Tue, 09 Apr 2024 09:36:58 +0200
json-smart (2.2-2+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the LTS team.
* CVE-2023-1370: stack overflow due to excessive recursion
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
parses an array or an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays or
objects. Since the parsing of nested arrays and objects is done
recursively, nesting too many of them can cause a stack exhaustion
(stack overflow) and crash the software. (Closes: #1033474)
* CVE-2021-31684: Fix indexOf
A vulnerability was discovered in the indexOf function of
JSONParserByteArray in JSON Smart versions 1.3 and 2.4
which causes a denial of service (DOS)
via a crafted web request.
-- Bastien Roucariès <rouca@debian.org> Wed, 29 Mar 2023 22:21:33 +0000
[ Other info ]
n/a
Andreas
diff --git a/debian/changelog b/debian/changelog
index 70116d2..877457c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+json-smart (2.2-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm. (Closes: #1039985)
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 09 Apr 2024 10:01:36 +0200
+
+json-smart (2.2-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Update Vcs-* URLs to point to salsa.debian.org.
+ * Rebuild for bullseye. (Closes: #1039985)
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 09 Apr 2024 09:36:58 +0200
+
+json-smart (2.2-2+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * CVE-2023-1370: stack overflow due to excessive recursion
+ When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+ parses an array or an object respectively. It was discovered that the
+ code does not have any limit to the nesting of such arrays or
+ objects. Since the parsing of nested arrays and objects is done
+ recursively, nesting too many of them can cause a stack exhaustion
+ (stack overflow) and crash the software. (Closes: #1033474)
+ * CVE-2021-31684: Fix indexOf
+ A vulnerability was discovered in the indexOf function of
+ JSONParserByteArray in JSON Smart versions 1.3 and 2.4
+ which causes a denial of service (DOS)
+ via a crafted web request.
+
+ -- Bastien Roucariès <rouca@debian.org> Wed, 29 Mar 2023 22:21:33 +0000
+
json-smart (2.2-2) unstable; urgency=medium
* Team upload.
diff --git a/debian/control b/debian/control
index 6488a01..deb7c40 100644
--- a/debian/control
+++ b/debian/control
@@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg <ebourg@apache.org>
Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
Build-Depends-Indep: libmaven-bundle-plugin-java, junit
Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Vcs-Browser: https://salsa.debian.org/java-team/json-smart
+Vcs-Git: https://salsa.debian.org/java-team/json-smart.git
Homepage: http://netplex.github.io/json-smart/
Package: libjson-smart-java
diff --git a/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
new file mode 100644
index 0000000..d085f43
--- /dev/null
+++ b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
@@ -0,0 +1,27 @@
+From: HAPPY <pcy190@126.com>
+Date: Fri, 16 Apr 2021 11:22:47 +0800
+Subject: CVE-2021-31684: Fix indexOf
+
+A vulnerability was discovered in the indexOf function of JSONParserByteArray
+in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS)
+via a crafted web request.
+
+origin: https://github.com/netplex/json-smart-v2/commit/6ecff1c2974eaaab2e74e441bdf5ba8495227bf5.patch
+bug: https://github.com/netplex/json-smart-v2/issues/67
+---
+ .../src/main/java/net/minidev/json/parser/JSONParserByteArray.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
+index 1849116..605d007 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
+@@ -75,7 +75,7 @@ class JSONParserByteArray extends JSONParserMemory {
+ }
+
+ protected int indexOf(char c, int pos) {
+- for (int i = pos; pos < len; i++)
++ for (int i = pos; i < len; i++)
+ if (in[i] == (byte) c)
+ return i;
+ return -1;
diff --git a/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch b/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
new file mode 100644
index 0000000..c789215
--- /dev/null
+++ b/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
@@ -0,0 +1,156 @@
+From: UrielCh <uriel.chemouni@gmail.com>
+Date: Sun, 5 Mar 2023 13:01:10 +0200
+Subject: CVE-2023-1370: stack overflow due to excessive recursion
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software.
+
+origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
+---
+ .../net/minidev/json/parser/JSONParserBase.java | 17 +++++++++++++-
+ .../net/minidev/json/parser/ParseException.java | 9 +++++++-
+ .../java/net/minidev/json/test/TestOverflow.java | 27 ++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+index 96d6bb6..f65b8c5 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
++import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
+
+ import java.io.IOException;
+ import java.math.BigDecimal;
+@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
+ */
+ abstract class JSONParserBase {
+ protected char c;
++ /**
++ * hard coded maximal depth for JSON parsing
++ */
++ public final static int MAX_DEPTH = 400;
++ protected int depth = 0;
++
+ JsonReader base;
+ public final static byte EOI = 0x1A;
+ protected static final char MAX_STOP = 126; // '}' -> 125
+@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+ abstract protected void read() throws IOException;
+
+ protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
+- Object current = mapper.createArray();
+ if (c != '[')
+ throw new RuntimeException("Internal Error");
++ if (++this.depth > MAX_DEPTH) {
++ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++ }
++ Object current = mapper.createArray();
+ read();
+ boolean needData = false;
+ //
+@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ case ']':
+ if (needData && !acceptUselessComma)
+ throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++ this.depth--;
+ read(); /* unstack */
+ //
+ return mapper.convert(current);
+@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+ //
+ if (c != '{')
+ throw new RuntimeException("Internal Error");
++ if (++this.depth > MAX_DEPTH) {
++ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++ }
+ Object current = mapper.createObject();
+ boolean needData = false;
+ boolean acceptData = true;
+@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+ case '}':
+ if (needData && !acceptUselessComma)
+ throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++ this.depth--;
+ read(); /* unstack */
+ //
+ return mapper.convert(current);
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+index e652cf2..42f11f2 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+@@ -1,7 +1,7 @@
+ package net.minidev.json.parser;
+
+ /*
+- * Copyright 2011 JSON-SMART authors
++ * Copyright 2011-2023 JSON-SMART authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+@@ -30,6 +30,7 @@ public class ParseException extends Exception {
+ public static final int ERROR_UNEXPECTED_UNICODE = 4;
+ public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
+ public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
++ public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
+
+ private int errorType;
+ private Object unexpectedObject;
+@@ -114,6 +115,12 @@ public class ParseException extends Exception {
+ sb.append(" at position ");
+ sb.append(position);
+ sb.append(".");
++ } else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
++ sb.append("Malicious payload, having non natural depths, parsing stoped on ");
++ sb.append(unexpectedObject);
++ sb.append(" at position ");
++ sb.append(position);
++ sb.append(".");
+ } else {
+ sb.append("Unkown error at position ");
+ sb.append(position);
+diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+new file mode 100644
+index 0000000..18b52e7
+--- /dev/null
++++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+@@ -0,0 +1,27 @@
++package net.minidev.json.test;
++
++import junit.framework.TestCase;
++import net.minidev.json.JSONValue;
++import net.minidev.json.parser.ParseException;
++
++public class TestOverflow extends TestCase {
++ public void testStress() throws Exception {
++ int size = 10000;
++ StringBuilder sb = new StringBuilder(10 + size*4);
++ for (int i=0; i < size; i++) {
++ sb.append("{a:");
++ }
++ sb.append("true");
++ for (int i=0; i < size; i++) {
++ sb.append("}");
++ }
++ String s = sb.toString();
++ try {
++ JSONValue.parseWithException(s);
++ } catch (ParseException e) {
++ assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
++ return;
++ }
++ assertEquals(0,1);
++ }
++}
diff --git a/debian/patches/01-bundle-dependencies.patch b/debian/patches/01-bundle-dependencies.patch
index 46b3040..778d0cc 100644
--- a/debian/patches/01-bundle-dependencies.patch
+++ b/debian/patches/01-bundle-dependencies.patch
@@ -1,7 +1,16 @@
-Description: Set the version and the type of the accessors-smart dependency
- to work around a build failure with maven-debian-helper
-Author: Emmanuel Bourg <ebourg@apache.org>
+From: Emmanuel Bourg <ebourg@apache.org>
+Date: Wed, 29 Mar 2023 21:54:56 +0000
+Subject: Set the version and the type of the accessors-smart dependency
+
Forwarded: not-needed
+
+to work around a build failure with maven-debian-helper
+---
+ json-smart/pom.xml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/json-smart/pom.xml b/json-smart/pom.xml
+index 33a7dc7..494f327 100644
--- a/json-smart/pom.xml
+++ b/json-smart/pom.xml
@@ -32,6 +32,8 @@
diff --git a/debian/patches/02-ignore-failing-tests.patch b/debian/patches/02-ignore-failing-tests.patch
index 0668dbf..7f5e0e7 100644
--- a/debian/patches/02-ignore-failing-tests.patch
+++ b/debian/patches/02-ignore-failing-tests.patch
@@ -1,9 +1,17 @@
-Description: Ignore TestDateConvert due to timezone dependent tests
-Author: Emmanuel Bourg <ebourg@apache.org>
+From: Emmanuel Bourg <ebourg@apache.org>
+Date: Wed, 29 Mar 2023 21:54:56 +0000
+Subject: Ignore TestDateConvert due to timezone dependent tests
+
Bug: https://github.com/netplex/json-smart-v2/issues/29
+---
+ .../src/test/java/net/minidev/asm/TestDateConvert.java | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java b/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
+index af34745..01a1552 100644
--- a/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
+++ b/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
-@@ -11,7 +11,7 @@
+@@ -11,7 +11,7 @@ import junit.framework.TestCase;
public class TestDateConvert extends TestCase {
SimpleDateFormat sdf = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
@@ -12,7 +20,7 @@ Bug: https://github.com/netplex/json-smart-v2/issues/29
String expectedDateText = "23/01/2012 13:42:12";
ArrayList<String> tests = new ArrayList<String>();
tests.add("23 janvier 2012 13:42:12");
-@@ -35,23 +35,23 @@
+@@ -35,23 +35,23 @@ public class TestDateConvert extends TestCase {
ConvertDate.convertToDate(testDate);
}
diff --git a/debian/patches/series b/debian/patches/series
index 5b3ab1d..e13d434 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
01-bundle-dependencies.patch
02-ignore-failing-tests.patch
maven-bundle-plugin-failok.patch
+0004-CVE-2021-31684-Fix-indexOf.patch
+0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
Reply to: