Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cJSON for openSUSE:Factory checked
in at 2024-06-06 12:33:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cJSON (Old)
and /work/SRC/openSUSE:Factory/.cJSON.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cJSON"
Thu Jun 6 12:33:02 2024 rev:7 rq:1178793 version:1.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/cJSON/cJSON.changes 2024-03-01
23:38:18.519324237 +0100
+++ /work/SRC/openSUSE:Factory/.cJSON.new.24587/cJSON.changes 2024-06-06
12:33:12.609767614 +0200
@@ -1,0 +2,19 @@
+Wed Jun 5 16:34:08 UTC 2024 - Dirk Müller <dmuel...@suse.com>
+
+- unconditionally apply the revert NULL pointer test
+
+-------------------------------------------------------------------
+Thu May 23 18:03:45 UTC 2024 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- update to 1.7.18:
+ * CVE-2024-31755: NULL pointer dereference via
+ cJSON_SetValuestring() (boo#1223420)
+ * Remove non-functional list handling of compiler flags
+ * Fix heap buffer overflow
+ * remove misused optimization flag -01
+ * Set free'd pointers to NULL whenever they are not reassigned
+ immediately after
+- revert tests for NULL pointers that fail on Leap 15.5
+ cJSON-1.7.18-misc_tests.patch
+
+-------------------------------------------------------------------
Old:
----
cJSON-1.7.17.tar.gz
New:
----
cJSON-1.7.18-misc_tests.patch
cJSON-1.7.18.tar.gz
BETA DEBUG BEGIN:
New:- revert tests for NULL pointers that fail on Leap 15.5
cJSON-1.7.18-misc_tests.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cJSON.spec ++++++
--- /var/tmp/diff_new_pack.SPdRzD/_old 2024-06-06 12:33:14.269828111 +0200
+++ /var/tmp/diff_new_pack.SPdRzD/_new 2024-06-06 12:33:14.277828402 +0200
@@ -1,8 +1,9 @@
#
# spec file for package cJSON
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2020-2023, Martin Hauke <mar...@gmx.de>
+# Copyright (c) 2024 Andreas Stieger <andreas.stie...@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +21,7 @@
%global sover 1
%global libname libcjson%{sover}
Name: cJSON
-Version: 1.7.17
+Version: 1.7.18
Release: 0
Summary: JSON parser library written in ANSI C
License: MIT
@@ -28,6 +29,7 @@
URL: https://github.com/DaveGamble/cJSON
Source:
https://github.com/DaveGamble/cJSON/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: cJSON-fix-cmake-include-path.patch
+Patch1: cJSON-1.7.18-misc_tests.patch
BuildRequires: cmake
BuildRequires: pkgconfig
@@ -53,17 +55,19 @@
applications that want to make use of libcjson.
%prep
-%autosetup -p1
+%setup -q
+# test is doing an access of freed memory which is undefined and glibc
+# is poisioning our memory so it's failing
+%patch -P1 -p1 -R
%build
%cmake
-%make_build
+%cmake_build
%install
%cmake_install
-%post -n %{libname} -p /sbin/ldconfig
-%postun -n %{libname} -p /sbin/ldconfig
+%ldconfig_scriptlets -n %{libname}
%check
export LD_LIBRARY_PATH=%{buildroot}%{_libdir}
@@ -75,6 +79,7 @@
%{_libdir}/libcjson.so.%{sover}*
%files devel
+%license LICENSE
%dir %{_includedir}/cjson
%{_includedir}/cjson/cJSON.h
%dir %{_libdir}/cmake/cJSON
++++++ cJSON-1.7.18-misc_tests.patch ++++++
>From 5b502cdbfb21fbe5f6cf9ffbd2b96e4281a741e6 Mon Sep 17 00:00:00 2001
From: Alanscut <wp_s...@163.com>
Date: Thu, 9 May 2024 10:45:16 +0800
Subject: [PATCH] feat: add tests for #842
Add some tests for setting NULL to deallocated pointers
releated to #842 and #833
---
tests/CMakeLists.txt | 1 +
tests/misc_tests.c | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index c7592213..9e8962f6 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -62,6 +62,7 @@ if(ENABLE_CJSON_TEST)
option(ENABLE_VALGRIND OFF "Enable the valgrind memory checker for the
tests.")
if (ENABLE_VALGRIND)
+ add_compile_definitions(ENABLE_VALGRIND)
find_program(MEMORYCHECK_COMMAND valgrind)
if ("${MEMORYCHECK_COMMAND}" MATCHES "MEMORYCHECK_COMMAND-NOTFOUND")
message(WARNING "Valgrind couldn't be found.")
diff --git a/tests/misc_tests.c b/tests/misc_tests.c
index ba3e003e..94dd91aa 100644
--- a/tests/misc_tests.c
+++ b/tests/misc_tests.c
@@ -732,6 +732,23 @@ static void
cjson_set_bool_value_must_not_break_objects(void)
cJSON_Delete(sobj);
}
+static void deallocated_pointers_should_be_set_to_null(void)
+{
+ /* deallocated pointers should be set to null */
+ /* however, valgrind on linux reports when attempting to access a freed
memory, we have to skip it */
+#ifndef ENABLE_VALGRIND
+ cJSON *string = cJSON_CreateString("item");
+ cJSON *root = cJSON_CreateObject();
+
+ cJSON_Delete(string);
+ free(string->valuestring);
+
+ cJSON_AddObjectToObject(root, "object");
+ cJSON_Delete(root->child);
+ free(root->child->string);
+#endif
+}
+
int CJSON_CDECL main(void)
{
UNITY_BEGIN();
@@ -762,6 +779,7 @@ int CJSON_CDECL main(void)
RUN_TEST(cjson_delete_item_from_array_should_not_broken_list_structure);
RUN_TEST(cjson_set_valuestring_to_object_should_not_leak_memory);
RUN_TEST(cjson_set_bool_value_must_not_break_objects);
+ RUN_TEST(deallocated_pointers_should_be_set_to_null);
return UNITY_END();
}
++++++ cJSON-1.7.17.tar.gz -> cJSON-1.7.18.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/CHANGELOG.md
new/cJSON-1.7.18/CHANGELOG.md
--- old/cJSON-1.7.17/CHANGELOG.md 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/CHANGELOG.md 2024-05-13 12:26:15.000000000 +0200
@@ -1,3 +1,13 @@
+1.7.18 (May 13, 2024)
+======
+Fixes:
+------
+* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755), see #839 and #840
+* Remove non-functional list handling of compiler flags, see #851
+* Fix heap buffer overflow, see #852
+* remove misused optimization flag -01, see #854
+* Set free'd pointers to NULL whenever they are not reassigned immediately
after, see #855 and #833
+
1.7.17 (Dec 26, 2023)
======
Fixes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/CMakeLists.txt
new/cJSON-1.7.18/CMakeLists.txt
--- old/cJSON-1.7.17/CMakeLists.txt 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/CMakeLists.txt 2024-05-13 12:26:15.000000000 +0200
@@ -2,7 +2,7 @@
cmake_minimum_required(VERSION 3.0)
project(cJSON
- VERSION 1.7.17
+ VERSION 1.7.18
LANGUAGES C)
cmake_policy(SET CMP0054 NEW) # set CMP0054 policy
@@ -70,7 +70,6 @@
-fsanitize=float-cast-overflow
-fsanitize-address-use-after-scope
-fsanitize=integer
- -01
-fno-sanitize-recover
)
endif()
@@ -102,13 +101,10 @@
CHECK_C_COMPILER_FLAG(${compiler_flag}
"FLAG_SUPPORTED_${current_variable}")
if (FLAG_SUPPORTED_${current_variable})
- list(APPEND supported_compiler_flags)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${compiler_flag}")
endif()
endforeach()
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${supported_compiler_flags}")
-
option(BUILD_SHARED_LIBS "Build shared libraries" ON)
option(ENABLE_TARGET_EXPORT "Enable exporting of CMake targets. Disable when
it causes problems!" ON)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/CONTRIBUTORS.md
new/cJSON-1.7.18/CONTRIBUTORS.md
--- old/cJSON-1.7.17/CONTRIBUTORS.md 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/CONTRIBUTORS.md 2024-05-13 12:26:15.000000000 +0200
@@ -45,6 +45,8 @@
* [Kevin Sapper](https://github.com/sappo)
* [Kyle Chisholm](https://github.com/ChisholmKyle)
* [Linus Wallgren](https://github.com/ecksun)
+* [Luo Jin](https://github.com/Up-wind)
+* [Max](https://github.com/maebex)
* [MaxBrandtner](https://github.com/MaxBrandtner)
* [Mateusz Szafoni](https://github.com/raiden00pl)
* Mike Pontillo
@@ -55,6 +57,7 @@
* [Moorthy](https://github.com/moorthy-bs)
* [myd7349](https://github.com/myd7349)
* [NancyLi1013](https://github.com/NancyLi1013)
+* [Orri](https://github.com/sbvoxel)
* Paulo Antonio Alvarez
* [PaweÅ Malowany](https://github.com/PawelMalowany)
* [Pawel Winogrodzki](https://github.com/PawelWMS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/Makefile new/cJSON-1.7.18/Makefile
--- old/cJSON-1.7.17/Makefile 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/Makefile 2024-05-13 12:26:15.000000000 +0200
@@ -8,7 +8,7 @@
LDLIBS = -lm
-LIBVERSION = 1.7.17
+LIBVERSION = 1.7.18
CJSON_SOVERSION = 1
UTILS_SOVERSION = 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/SECURITY.md new/cJSON-1.7.18/SECURITY.md
--- old/cJSON-1.7.17/SECURITY.md 1970-01-01 01:00:00.000000000 +0100
+++ new/cJSON-1.7.18/SECURITY.md 2024-05-13 12:26:15.000000000 +0200
@@ -0,0 +1,11 @@
+# Security Policy
+
+## Supported Versions
+
+Security is of the highest importance and all security vulnerabilities or
suspected security vulnerabilities should be reported to cjson team privately,
to minimize attacks against current users of cjson before they are fixed.
Vulnerabilities will be investigated and patched on the next patch (or minor)
release as soon as possible. This information could be kept entirely internal
to the project.
+
+## Reporting a Vulnerability
+
+If you know of a publicly disclosed security vulnerability for cjson, please
IMMEDIATELY contact wp_s...@163.com and peter...@apache.org to inform the cjson
Team.
+
+IMPORTANT: Do not file public issues on GitHub for security vulnerabilities.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/cJSON.c new/cJSON-1.7.18/cJSON.c
--- old/cJSON-1.7.17/cJSON.c 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/cJSON.c 2024-05-13 12:26:15.000000000 +0200
@@ -117,7 +117,7 @@
}
/* This is a safeguard to prevent copy-pasters from using incompatible C and
header files */
-#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) ||
(CJSON_VERSION_PATCH != 17)
+#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) ||
(CJSON_VERSION_PATCH != 18)
#error cJSON.h and cJSON.c have different versions. Make sure that both
have the same.
#endif
@@ -263,10 +263,12 @@
if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL))
{
global_hooks.deallocate(item->valuestring);
+ item->valuestring = NULL;
}
if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
{
global_hooks.deallocate(item->string);
+ item->string = NULL;
}
global_hooks.deallocate(item);
item = next;
@@ -397,6 +399,7 @@
return object->valuedouble = number;
}
+/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as
an error and return NULL */
CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char
*valuestring)
{
char *copy = NULL;
@@ -405,8 +408,8 @@
{
return NULL;
}
- /* return NULL if the object is corrupted */
- if (object->valuestring == NULL)
+ /* return NULL if the object is corrupted or valuestring is NULL */
+ if (object->valuestring == NULL || valuestring == NULL)
{
return NULL;
}
@@ -893,6 +896,7 @@
if (output != NULL)
{
input_buffer->hooks.deallocate(output);
+ output = NULL;
}
if (input_pointer != NULL)
@@ -1235,6 +1239,7 @@
/* free the buffer */
hooks->deallocate(buffer->buffer);
+ buffer->buffer = NULL;
}
return printed;
@@ -1243,11 +1248,13 @@
if (buffer->buffer != NULL)
{
hooks->deallocate(buffer->buffer);
+ buffer->buffer = NULL;
}
if (printed != NULL)
{
hooks->deallocate(printed);
+ printed = NULL;
}
return NULL;
@@ -1288,6 +1295,7 @@
if (!print_value(item, &p))
{
global_hooks.deallocate(p.buffer);
+ p.buffer = NULL;
return NULL;
}
@@ -1659,6 +1667,11 @@
current_item = new_item;
}
+ if (cannot_access_at_index(input_buffer, 1))
+ {
+ goto fail; /* nothing comes after the comma */
+ }
+
/* parse the name of the child */
input_buffer->offset++;
buffer_skip_whitespace(input_buffer);
@@ -3126,4 +3139,5 @@
CJSON_PUBLIC(void) cJSON_free(void *object)
{
global_hooks.deallocate(object);
+ object = NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/cJSON.h new/cJSON-1.7.18/cJSON.h
--- old/cJSON-1.7.17/cJSON.h 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/cJSON.h 2024-05-13 12:26:15.000000000 +0200
@@ -81,7 +81,7 @@
/* project version */
#define CJSON_VERSION_MAJOR 1
#define CJSON_VERSION_MINOR 7
-#define CJSON_VERSION_PATCH 17
+#define CJSON_VERSION_PATCH 18
#include <stddef.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/tests/CMakeLists.txt
new/cJSON-1.7.18/tests/CMakeLists.txt
--- old/cJSON-1.7.17/tests/CMakeLists.txt 2023-12-26 03:24:36.000000000
+0100
+++ new/cJSON-1.7.18/tests/CMakeLists.txt 2024-05-13 12:26:15.000000000
+0200
@@ -62,6 +62,7 @@
option(ENABLE_VALGRIND OFF "Enable the valgrind memory checker for the
tests.")
if (ENABLE_VALGRIND)
+ add_compile_definitions(ENABLE_VALGRIND)
find_program(MEMORYCHECK_COMMAND valgrind)
if ("${MEMORYCHECK_COMMAND}" MATCHES "MEMORYCHECK_COMMAND-NOTFOUND")
message(WARNING "Valgrind couldn't be found.")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/tests/misc_tests.c
new/cJSON-1.7.18/tests/misc_tests.c
--- old/cJSON-1.7.17/tests/misc_tests.c 2023-12-26 03:24:36.000000000 +0100
+++ new/cJSON-1.7.18/tests/misc_tests.c 2024-05-13 12:26:15.000000000 +0200
@@ -444,6 +444,7 @@
TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL));
cJSON_Minify(NULL);
/* skipped because it is only used via a macro that checks for NULL */
/* cJSON_SetNumberHelper(NULL, 0); */
@@ -731,6 +732,23 @@
cJSON_Delete(sobj);
}
+static void deallocated_pointers_should_be_set_to_null(void)
+{
+ /* deallocated pointers should be set to null */
+ /* however, valgrind on linux reports when attempting to access a freed
memory, we have to skip it */
+#ifndef ENABLE_VALGRIND
+ cJSON *string = cJSON_CreateString("item");
+ cJSON *root = cJSON_CreateObject();
+
+ cJSON_Delete(string);
+ free(string->valuestring);
+
+ cJSON_AddObjectToObject(root, "object");
+ cJSON_Delete(root->child);
+ free(root->child->string);
+#endif
+}
+
int CJSON_CDECL main(void)
{
UNITY_BEGIN();
@@ -761,6 +779,7 @@
RUN_TEST(cjson_delete_item_from_array_should_not_broken_list_structure);
RUN_TEST(cjson_set_valuestring_to_object_should_not_leak_memory);
RUN_TEST(cjson_set_bool_value_must_not_break_objects);
+ RUN_TEST(deallocated_pointers_should_be_set_to_null);
return UNITY_END();
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cJSON-1.7.17/tests/parse_examples.c
new/cJSON-1.7.18/tests/parse_examples.c
--- old/cJSON-1.7.17/tests/parse_examples.c 2023-12-26 03:24:36.000000000
+0100
+++ new/cJSON-1.7.18/tests/parse_examples.c 2024-05-13 12:26:15.000000000
+0200
@@ -250,6 +250,33 @@
}
}
+/* Address Sanitizer */
+static void test15_should_not_heap_buffer_overflow(void)
+{
+ const char *strings[] = {
+ "{\"1\":1,",
+ "{\"1\":1, ",
+ };
+
+ size_t i;
+
+ for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
+ {
+ const char *json_string = strings[i];
+ size_t len = strlen(json_string);
+ cJSON *json = NULL;
+
+ char *exact_size_heap = (char*)malloc(len);
+ TEST_ASSERT_NOT_NULL(exact_size_heap);
+
+ memcpy(exact_size_heap, json_string, len);
+ json = cJSON_ParseWithLength(exact_size_heap, len);
+
+ cJSON_Delete(json);
+ free(exact_size_heap);
+ }
+}
+
int CJSON_CDECL main(void)
{
UNITY_BEGIN();
@@ -267,5 +294,6 @@
RUN_TEST(test12_should_not_be_parsed);
RUN_TEST(test13_should_be_parsed_without_null_termination);
RUN_TEST(test14_should_not_be_parsed);
+ RUN_TEST(test15_should_not_heap_buffer_overflow);
return UNITY_END();
}
