Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libfastjson for openSUSE:Factory
checked in at 2023-05-05 15:57:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libfastjson (Old)
and /work/SRC/openSUSE:Factory/.libfastjson.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libfastjson"
Fri May 5 15:57:18 2023 rev:12 rq:1084815 version:1.2304.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libfastjson/libfastjson.changes 2021-06-25
15:01:02.652130078 +0200
+++ /work/SRC/openSUSE:Factory/.libfastjson.new.1533/libfastjson.changes
2023-05-05 15:57:24.136125404 +0200
@@ -1,0 +2,7 @@
+Wed May 3 20:13:04 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- update to 1.2304.0:
+ * CVE-2020-12762: integer overflow and out-of-bounds write via
+ large JSON file (boo#1171479)
+
+-------------------------------------------------------------------
Old:
----
libfastjson-0.99.9.tar.gz
New:
----
libfastjson-1.2304.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libfastjson.spec ++++++
--- /var/tmp/diff_new_pack.OZuzQs/_old 2023-05-05 15:57:24.740128864 +0200
+++ /var/tmp/diff_new_pack.OZuzQs/_new 2023-05-05 15:57:24.740128864 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libfastjson
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define somajor 4
Name: libfastjson
-Version: 0.99.9
+Version: 1.2304.0
Release: 0
Summary: JSON parsing library, a fork of json-c
License: MIT
++++++ libfastjson-0.99.9.tar.gz -> libfastjson-1.2304.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libfastjson-0.99.9/ChangeLog
new/libfastjson-1.2304.0/ChangeLog
--- old/libfastjson-0.99.9/ChangeLog 2021-01-25 13:52:55.000000000 +0100
+++ new/libfastjson-1.2304.0/ChangeLog 2023-04-17 15:51:20.000000000 +0200
@@ -1,3 +1,8 @@
+1.2304.0, 2023-04-18
+- change of release number scheme, now like rsyslog
+- fix Fix CVE-2020-12762
+ Note: the CVE did not affect rsyslog use due to size limits
+ Thanks to Wang Haitao for the patch.
0.99.9 2021-01-26
- add API fjson_object_get_uint()
Thanks to Janmejay Singh for contributing the patch.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libfastjson-0.99.9/configure
new/libfastjson-1.2304.0/configure
--- old/libfastjson-0.99.9/configure 2021-01-25 13:53:09.000000000 +0100
+++ new/libfastjson-1.2304.0/configure 2023-04-17 15:54:00.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9.
+# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0.
#
# Report bugs to <rsys...@lists.adiscon.com>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='libfastjson'
PACKAGE_TARNAME='libfastjson'
-PACKAGE_VERSION='0.99.9'
-PACKAGE_STRING='libfastjson 0.99.9'
+PACKAGE_VERSION='1.2304.0'
+PACKAGE_STRING='libfastjson 1.2304.0'
PACKAGE_BUGREPORT='rsys...@lists.adiscon.com'
PACKAGE_URL=''
@@ -1336,7 +1336,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems.
+\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1407,7 +1407,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libfastjson 0.99.9:";;
+ short | recursive ) echo "Configuration of libfastjson 1.2304.0:";;
esac
cat <<\_ACEOF
@@ -1525,7 +1525,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libfastjson configure 0.99.9
+libfastjson configure 1.2304.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1948,7 +1948,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libfastjson $as_me 0.99.9, which was
+It was created by libfastjson $as_me 1.2304.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2838,7 +2838,7 @@
# Define the identity of the package.
PACKAGE='libfastjson'
- VERSION='0.99.9'
+ VERSION='1.2304.0'
cat >>confdefs.h <<_ACEOF
@@ -15280,7 +15280,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libfastjson $as_me 0.99.9, which was
+This file was extended by libfastjson $as_me 1.2304.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15346,7 +15346,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libfastjson config.status 0.99.9
+libfastjson config.status 1.2304.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libfastjson-0.99.9/configure.ac
new/libfastjson-1.2304.0/configure.ac
--- old/libfastjson-0.99.9/configure.ac 2021-01-25 13:52:55.000000000 +0100
+++ new/libfastjson-1.2304.0/configure.ac 2023-04-17 15:53:41.000000000
+0200
@@ -1,7 +1,7 @@
AC_PREREQ(2.52)
# Process this file with autoconf to produce a configure script.
-AC_INIT([libfastjson], [0.99.9], [rsys...@lists.adiscon.com])
+AC_INIT([libfastjson], [1.2304.0], [rsys...@lists.adiscon.com])
# AIXPORT START: Detect the underlying OS
unamestr=$(uname)
AM_CONDITIONAL([AIX], [test x$unamestr = xAIX])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libfastjson-0.99.9/printbuf.c
new/libfastjson-1.2304.0/printbuf.c
--- old/libfastjson-0.99.9/printbuf.c 2021-01-25 13:00:57.000000000 +0100
+++ new/libfastjson-1.2304.0/printbuf.c 2023-03-30 11:53:47.000000000 +0200
@@ -13,6 +13,7 @@
#include "config.h"
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -68,9 +69,16 @@
if (p->size >= min_size)
return 0;
- new_size = p->size * 2;
- if (new_size < min_size + 8)
- new_size = min_size + 8;
+ /* Prevent signed integer overflows with large buffers. */
+ if (min_size > INT_MAX - 8)
+ return -1;
+ if (p->size > INT_MAX / 2)
+ new_size = min_size + 8;
+ else {
+ new_size = p->size * 2;
+ if (new_size < min_size + 8)
+ new_size = min_size + 8;
+ }
#ifdef PRINTBUF_DEBUG
MC_DEBUG("printbuf_memappend: realloc "
"bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -85,6 +93,9 @@
int printbuf_memappend(struct printbuf *p, const char *buf, int size)
{
+ /* Prevent signed integer overflows with large buffers. */
+ if (size > INT_MAX - p->bpos - 1)
+ return -1;
if (p->size <= p->bpos + size + 1) {
if (printbuf_extend(p, p->bpos + size + 1) < 0)
return -1;
@@ -136,6 +147,9 @@
if (offset == -1)
offset = pb->bpos;
+ /* Prevent signed integer overflows with large buffers. */
+ if (len > INT_MAX - offset)
+ return -1;
size_needed = offset + len;
if (pb->size < size_needed)
{
