Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-JSON-XS for openSUSE:Factory checked in at 2025-09-09 20:30:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-JSON-XS (Old) and /work/SRC/openSUSE:Factory/.perl-JSON-XS.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-JSON-XS" Tue Sep 9 20:30:16 2025 rev:25 rq:1303253 version:4.40.0 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-JSON-XS/perl-JSON-XS.changes 2020-10-28 12:10:07.693424777 +0100 +++ /work/SRC/openSUSE:Factory/.perl-JSON-XS.new.1977/perl-JSON-XS.changes 2025-09-09 20:30:47.458606617 +0200 @@ -1,0 +2,15 @@ +Mon Sep 8 16:53:42 UTC 2025 - Tina Müller <[email protected]> + +- updated to 4.40.0 (4.04) + see /usr/share/doc/packages/perl-JSON-XS/Changes + + 4.04 Fri 05 Sep 2025 23:59:48 CEST + - fix heap overflow causing crashes, possibly information + disclosure or worse (CVE-2025-40928), and causes JSON::XS to + accept invalid JSON texts as valid in some cases. Thanks to + Michael Hudak for finding this, the CPAN Security Group for + coordinating this, and Reini Urban for double-checking the patch + (and Peter Juhasz for potentially reporting this much earlier). + (bsc#1249330) + +------------------------------------------------------------------- Old: ---- JSON-XS-4.03.tar.gz New: ---- JSON-XS-4.04.tar.gz README.md _scmsync.obsinfo build.specials.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-JSON-XS.spec ++++++ --- /var/tmp/diff_new_pack.4svWVo/_old 2025-09-09 20:30:48.050631567 +0200 +++ /var/tmp/diff_new_pack.4svWVo/_new 2025-09-09 20:30:48.054631736 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-JSON-XS # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,24 +16,28 @@ # +%define cpan_name JSON-XS Name: perl-JSON-XS -Version: 4.03 +Version: 4.40.0 Release: 0 -%define cpan_name JSON-XS -Summary: JSON serialising/deserialising, done correctly and fast +# 4.04 -> normalize -> 4.40.0 +%define cpan_version 4.04 License: Artistic-1.0 OR GPL-1.0-or-later -Group: Development/Libraries/Perl +Summary: JSON serialising/deserialising, done correctly and fast URL: https://metacpan.org/release/%{cpan_name} -Source0: https://cpan.metacpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{version}.tar.gz +Source0: https://cpan.metacpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{cpan_version}.tar.gz Source1: cpanspec.yml -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Source100: README.md BuildRequires: perl BuildRequires: perl-macros BuildRequires: perl(Canary::Stability) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.52 BuildRequires: perl(Types::Serialiser) BuildRequires: perl(common::sense) Requires: perl(Types::Serialiser) Requires: perl(common::sense) +Provides: perl(JSON::XS) = %{version} +%undefine __perllib_provides %{perl_requires} %description @@ -45,12 +49,11 @@ vice versa. %prep -%setup -q -n %{cpan_name}-%{version} -find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 +%autosetup -n %{cpan_name}-%{cpan_version} -p1 %build perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" -make %{?_smp_mflags} +%make_build %check make test @@ -61,7 +64,6 @@ %perl_gen_filelist %files -f %{name}.files -%defattr(-,root,root,755) %doc Changes README %license COPYING ++++++ JSON-XS-4.03.tar.gz -> JSON-XS-4.04.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/Changes new/JSON-XS-4.04/Changes --- old/JSON-XS-4.03/Changes 2020-10-27 19:05:18.000000000 +0100 +++ new/JSON-XS-4.04/Changes 2025-09-08 14:51:12.000000000 +0200 @@ -6,6 +6,19 @@ TODO: investigate magic (Eric Brine) TODO: [PATCH] Types::Serialiser: Inline true(), false() and error() functions TODO: replace bool_stash by BOOL_STASH seems to work with mod_perl, make a compile time option? +TODO: https://github.com/ulfjack/ryu https://lemire.me/blog/2020/03/10/fast-float-parsing-in-practice/ / https://github.com/lemire/fast_double_parser + +TODO: validate_utf8, apparewntly some people confuse themselves. +TODO: security considerations +TODO: perl 5.36 has builtin::true/false/is_bool. Not sure how to integrate those. + +4.04 Fri 05 Sep 2025 23:59:48 CEST + - fix heap overflow causing crashes, possibly information + disclosure or worse (CVE-2025-40928), and causes JSON::XS to + accept invalid JSON texts as valid in some cases. Thanks to + Michael Hudak for finding this, the CPAN Security Group for + coordinating this, and Reini Urban for double-checking the patch + (and Peter Juhasz for potentially reporting this much earlier). 4.03 Tue Oct 27 19:05:01 CET 2020 - when parsing comments in relaxed mode, JSON::XS would detect garbage diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/META.json new/JSON-XS-4.04/META.json --- old/JSON-XS-4.03/META.json 2020-10-27 19:05:48.000000000 +0100 +++ new/JSON-XS-4.04/META.json 2025-09-08 14:51:31.000000000 +0200 @@ -4,7 +4,7 @@ "unknown" ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150001", + "generated_by" : "ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010", "license" : [ "unknown" ], @@ -39,5 +39,6 @@ } }, "release_status" : "stable", - "version" : "4.03" + "version" : "4.04", + "x_serialization_backend" : "JSON::PP version 2.27300" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/META.yml new/JSON-XS-4.04/META.yml --- old/JSON-XS-4.03/META.yml 2020-10-27 19:05:48.000000000 +0100 +++ new/JSON-XS-4.04/META.yml 2025-09-08 14:51:31.000000000 +0200 @@ -8,7 +8,7 @@ Canary::Stability: '0' ExtUtils::MakeMaker: '6.52' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150001' +generated_by: 'ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010' license: unknown meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -21,4 +21,5 @@ requires: Types::Serialiser: '0' common::sense: '0' -version: '4.03' +version: '4.04' +x_serialization_backend: 'CPAN::Meta::YAML version 0.012' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/README new/JSON-XS-4.04/README --- old/JSON-XS-4.03/README 2020-10-27 19:05:49.000000000 +0100 +++ new/JSON-XS-4.04/README 2025-09-08 14:51:31.000000000 +0200 @@ -374,7 +374,7 @@ $json = $json->allow_nonref ([$enable]) $enabled = $json->get_allow_nonref - Unlike other boolean options, this opotion is enabled by default + Unlike other boolean options, this option is enabled by default beginning with version 4.0. See "SECURITY CONSIDERATIONS" for the gory details. @@ -745,7 +745,7 @@ [, - In reality, hopwever, the parser might continue to read data until a + In reality, however, the parser might continue to read data until a length limit is exceeded or it finds a closing bracket. EXAMPLES @@ -1089,7 +1089,7 @@ encoded into JSON. This scalar replaces the object in the JSON text. For example, the following "TO_JSON" method will convert all URI - objects to JSON strings when serialised. The fatc that these values + objects to JSON strings when serialised. The fact that these values originally were URI objects is lost. sub URI::TO_JSON { @@ -1492,7 +1492,7 @@ $json_coder = JSON::XS->new->allow_nonref (0) This is a somewhat unhappy situation, and the blame can fully be put on - JSON's inmventor, Douglas Crockford, who unilaterally changed the format + JSON's inventor, Douglas Crockford, who unilaterally changed the format in 2006 without consulting the IETF, forcing the IETF to either fork the format or go with it (as I was told, the IETF wasn't amused). @@ -1548,7 +1548,7 @@ INTEROPERABILITY WITH OTHER MODULES "JSON::XS" uses the Types::Serialiser module to provide boolean constants. That means that the JSON true and false values will be - comaptible to true and false values of other modules that do the same, + compatible to true and false values of other modules that do the same, such as JSON::PP and CBOR::XS. INTEROPERABILITY WITH OTHER JSON DECODERS @@ -1570,7 +1570,7 @@ TAGGED VALUE SYNTAX AND STANDARD JSON EN/DECODERS When you use "allow_tags" to use the extended (and also nonstandard and invalid) JSON syntax for serialised objects, and you still want to - decode the generated When you want to serialise objects, you can run a + decode the generated text with a standard JSON decoder, you can run a regex to replace the tagged syntax by standard JSON arrays (it only works for "normal" package names without comma, newlines or single colons). First, the readable Perl version: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/XS.pm new/JSON-XS-4.04/XS.pm --- old/JSON-XS-4.03/XS.pm 2020-10-27 19:05:46.000000000 +0100 +++ new/JSON-XS-4.04/XS.pm 2025-09-08 13:53:46.000000000 +0200 @@ -89,7 +89,7 @@ use common::sense; -our $VERSION = '4.03'; +our $VERSION = '4.04'; our @ISA = qw(Exporter); our @EXPORT = qw(encode_json decode_json); @@ -431,7 +431,7 @@ =item $enabled = $json->get_allow_nonref -Unlike other boolean options, this opotion is enabled by default beginning +Unlike other boolean options, this option is enabled by default beginning with version C<4.0>. See L<SECURITY CONSIDERATIONS> for the gory details. If C<$enable> is true (or missing), then the C<encode> method can convert a @@ -823,7 +823,7 @@ [, -In reality, hopwever, the parser might continue to read data until a +In reality, however, the parser might continue to read data until a length limit is exceeded or it finds a closing bracket. =head2 EXAMPLES @@ -1195,7 +1195,7 @@ JSON. This scalar replaces the object in the JSON text. For example, the following C<TO_JSON> method will convert all L<URI> -objects to JSON strings when serialised. The fatc that these values +objects to JSON strings when serialised. The fact that these values originally were L<URI> objects is lost. sub URI::TO_JSON { @@ -1618,7 +1618,7 @@ $json_coder = JSON::XS->new->allow_nonref (0) This is a somewhat unhappy situation, and the blame can fully be put on -JSON's inmventor, Douglas Crockford, who unilaterally changed the format +JSON's inventor, Douglas Crockford, who unilaterally changed the format in 2006 without consulting the IETF, forcing the IETF to either fork the format or go with it (as I was told, the IETF wasn't amused). @@ -1680,7 +1680,7 @@ C<JSON::XS> uses the L<Types::Serialiser> module to provide boolean constants. That means that the JSON true and false values will be -comaptible to true and false values of other modules that do the same, +compatible to true and false values of other modules that do the same, such as L<JSON::PP> and L<CBOR::XS>. @@ -1705,8 +1705,8 @@ When you use C<allow_tags> to use the extended (and also nonstandard and invalid) JSON syntax for serialised objects, and you still want to decode -the generated When you want to serialise objects, you can run a regex -to replace the tagged syntax by standard JSON arrays (it only works for +the generated text with a standard JSON decoder, you can run a regex to +replace the tagged syntax by standard JSON arrays (it only works for "normal" package names without comma, newlines or single colons). First, the readable Perl version: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-4.03/XS.xs new/JSON-XS-4.04/XS.xs --- old/JSON-XS-4.03/XS.xs 2020-10-27 19:03:21.000000000 +0100 +++ new/JSON-XS-4.04/XS.xs 2025-09-06 13:57:10.000000000 +0200 @@ -253,16 +253,16 @@ // if we recurse too deep, skip all remaining digits // to avoid a stack overflow attack if (expect_false (--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while (*s >= '0' && *s <= '9') ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = *s - '0'; if (expect_false (dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -282,8 +282,8 @@ else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) - exp2 = exp2 * 10 + *s++ - '0'; + while (*s >= '0' && *s <= '9') + exp2 = exp2 * 10 + (*s++ - '0'); *expo += neg ? -exp2 : exp2; } @@ -920,7 +920,7 @@ { // optimise the "small number case" // code will likely be branchless and use only a single multiplication - // works for numbers up to 59074 + // 4.28 works for numbers up to 59074 I32 i = SvIVX (sv); U32 u; char digit, nz = 0; @@ -928,7 +928,7 @@ need (enc, 6); *enc->cur = '-'; enc->cur += i < 0 ? 1 : 0; - u = i < 0 ? -i : i; + u = i < 0 ? -i : i; // not undefined due to range check above // convert to 4.28 fixed-point representation u = u * ((0xfffffff + 10000) / 10000); // 10**5, 5 fractional digits ++++++ README.md ++++++ ## Build Results Current state of perl in openSUSE:Factory is  The current state of perl in the devel project build (devel:languages:perl)  ++++++ _scmsync.obsinfo ++++++ mtime: 1757350598 commit: a69ced4fd2b708e9deba2a411e486e71d67e65173524ae177e65c567ba28dd72 url: https://src.opensuse.org/perl/perl-JSON-XS.git revision: a69ced4fd2b708e9deba2a411e486e71d67e65173524ae177e65c567ba28dd72 projectscmsync: https://src.opensuse.org/perl/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-09-08 19:46:46.000000000 +0200 @@ -0,0 +1 @@ +.osc
