Bug#1074088: bookworm-pu: package cjson/1.7.15-1+deb12u2

Sat, 22 Jun 2024 23:51:30 -0700 

Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
CVE-2024-31755

[ Impact ]
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).

[ Tests ]
Upstream's tests continue to pass, no new tests were added since this is
a trivial change.

[ Risks ]
Minimal risk as the patch is trivial and only changes 1 line to fix this
security issue.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
    (Closes: #1071742)

[ Other info ]
Security team have marked it no-dsa.

-- 
Maytham Alsudany
Debian Maintainer

maytham @ OFTC
maytha8 @ Libera


diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog	2024-04-09 09:30:29.000000000 +0800
+++ cjson-1.7.15/debian/changelog	2024-06-23 14:27:41.000000000 +0800
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
+    (Closes: #1071742)
+
+ -- Maytham Alsudany <[email protected]>  Sun, 23 Jun 2024 14:27:41 +0800
+
 cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch
--- cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	2024-06-23 14:27:41.000000000 +0800
@@ -0,0 +1,23 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+From: Up-wind <[email protected]>
+Bug: https://github.com/DaveGamble/cJSON/issues/839
+Bug-Debian: https://bugs.debian.org/1071742
+Acked-by: Maytham Alsudany <[email protected]>
+Subject: [PATCH] Add NULL check to cJSON_SetValuestring()
+ If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer
+ dereference will happen. This patch adds the NULL check of valuestring before
+ it is dereferenced.
+ .
+ Fix for CVE-2024-31755.
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -406,7 +406,7 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+         return NULL;
+     }
+     /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series	2024-04-09 09:29:47.000000000 +0800
+++ cjson-1.7.15/debian/patches/series	2024-06-23 14:27:41.000000000 +0800
@@ -1 +1,2 @@
 0001-add-null-checkings.patch
+0002-add-null-check-to-cjson-setvaluestring.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to