apteryx pushed a commit to branch core-updates-frozen-batched-changes in repository guix.
commit 090a1586530e21adf700a54d18fced91e0c3b722 Author: Vincent Legoll <[email protected]> AuthorDate: Sat Feb 6 17:24:28 2021 +0100 gnu: json-c: Update to 0.15. * gnu/packages/web.scm (json-c): Update to 0.15. [source]: Remove obsolete patch 'json-c-CVE-2020-12762.patch'. * gnu/packages/patches/json-c-CVE-2020-12762.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari <[email protected]> --- gnu/local.mk | 1 - gnu/packages/patches/json-c-CVE-2020-12762.patch | 193 ----------------------- gnu/packages/web.scm | 5 +- 3 files changed, 2 insertions(+), 197 deletions(-) diff --git a/gnu/local.mk b/gnu/local.mk index 3155338..42880da 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1293,7 +1293,6 @@ dist_patch_DATA = \ %D%/packages/patches/irrlicht-use-system-libs.patch \ %D%/packages/patches/isc-dhcp-gcc-compat.patch \ %D%/packages/patches/isl-0.11.1-aarch64-support.patch \ - %D%/packages/patches/json-c-CVE-2020-12762.patch \ %D%/packages/patches/json-c-0.13-CVE-2020-12762.patch \ %D%/packages/patches/json-c-0.12-CVE-2020-12762.patch \ %D%/packages/patches/jsoncpp-pkg-config-version.patch \ diff --git a/gnu/packages/patches/json-c-CVE-2020-12762.patch b/gnu/packages/patches/json-c-CVE-2020-12762.patch deleted file mode 100644 index 80daa47..0000000 --- a/gnu/packages/patches/json-c-CVE-2020-12762.patch +++ /dev/null @@ -1,193 +0,0 @@ -https://github.com/json-c/json-c/pull/608 -https://github.com/json-c/json-c/commit/5d6fa331418d49f1bd488553fd1cfa9ab023fabb.patch - -From 5d6fa331418d49f1bd488553fd1cfa9ab023fabb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <[email protected]> -Date: Thu, 14 May 2020 12:32:30 +0200 -Subject: [PATCH] Fix CVE-2020-12762. - -This commit is a squashed backport of the following commits -on the master branch: - - * 099016b7e8d70a6d5dd814e788bba08d33d48426 - * 77d935b7ae7871a1940cd827e850e6063044ec45 - * d07b91014986900a3a75f306d302e13e005e9d67 - * 519dfe1591d85432986f9762d41d1a883198c157 - * a59d5acfab4485d5133114df61785b1fc633e0c6 - * 26f080997d41cfdb17beab65e90c82217d0ac43b ---- - arraylist.c | 3 +++ - linkhash.c | 9 ++++++++- - printbuf.c | 18 ++++++++++++++++-- - tests/test4.c | 29 +++++++++++++++++++++++++++++ - tests/test4.expected | 1 + - 5 files changed, 57 insertions(+), 3 deletions(-) - -diff --git a/arraylist.c b/arraylist.c -index 12ad8af6d3..e5524aca75 100644 ---- a/arraylist.c -+++ b/arraylist.c -@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) - { - size_t i, stop; - -+ /* Avoid overflow in calculation with large indices. */ -+ if (idx > SIZE_T_MAX - count) -+ return -1; - stop = idx + count; - if (idx >= arr->length || stop > arr->length) - return -1; -diff --git a/linkhash.c b/linkhash.c -index 7ea58c0abf..b021ef10b0 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -12,6 +12,7 @@ - - #include "config.h" - -+#include <assert.h> - #include <limits.h> - #include <stdarg.h> - #include <stddef.h> -@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h - int i; - struct lh_table *t; - -+ /* Allocate space for elements to avoid divisions by zero. */ -+ assert(size > 0); - t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); - if (!t) - return NULL; -@@ -578,8 +581,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con - unsigned long n; - - if (t->count >= t->size * LH_LOAD_FACTOR) -- if (lh_table_resize(t, t->size * 2) != 0) -+ { -+ /* Avoid signed integer overflow with large tables. */ -+ int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); -+ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) - return -1; -+ } - - n = h % t->size; - -diff --git a/printbuf.c b/printbuf.c -index 976c12dde5..f9b15b1191 100644 ---- a/printbuf.c -+++ b/printbuf.c -@@ -15,6 +15,7 @@ - - #include "config.h" - -+#include <limits.h> - #include <stdio.h> - #include <stdlib.h> - #include <string.h> -@@ -66,9 +67,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) - if (p->size >= min_size) - return 0; - -- new_size = p->size * 2; -- if (new_size < min_size + 8) -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) - new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -83,6 +91,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) - { - if (printbuf_extend(p, p->bpos + size + 1) < 0) -@@ -100,6 +111,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { -diff --git a/tests/test4.c b/tests/test4.c -index bd964ec789..288cec1792 100644 ---- a/tests/test4.c -+++ b/tests/test4.c -@@ -3,12 +3,15 @@ - */ - - #include "config.h" -+#include <assert.h> - #include <stdio.h> -+#include <stdlib.h> - #include <string.h> - - #include "json_inttypes.h" - #include "json_object.h" - #include "json_tokener.h" -+#include "snprintf_compat.h" - - void print_hex(const char *s) - { -@@ -24,6 +27,29 @@ void print_hex(const char *s) - putchar('\n'); - } - -+static void test_lot_of_adds(void); -+static void test_lot_of_adds() -+{ -+ int ii; -+ char key[50]; -+ json_object *jobj = json_object_new_object(); -+ assert(jobj != NULL); -+ for (ii = 0; ii < 500; ii++) -+ { -+ snprintf(key, sizeof(key), "k%d", ii); -+ json_object *iobj = json_object_new_int(ii); -+ assert(iobj != NULL); -+ if (json_object_object_add(jobj, key, iobj)) -+ { -+ fprintf(stderr, "FAILED to add object #%d\n", ii); -+ abort(); -+ } -+ } -+ printf("%s\n", json_object_to_json_string(jobj)); -+ assert(json_object_object_length(jobj) == 500); -+ json_object_put(jobj); -+} -+ - int main(void) - { - const char *input = "\"\\ud840\\udd26,\\ud840\\udd27,\\ud800\\udd26,\\ud800\\udd27\""; -@@ -52,5 +78,8 @@ int main(void) - retval = 1; - } - json_object_put(parse_result); -+ -+ test_lot_of_adds(); -+ - return retval; - } -diff --git a/tests/test4.expected b/tests/test4.expected -index 68d4336d90..cb2744012b 100644 ---- a/tests/test4.expected -+++ b/tests/test4.expected -@@ -1,3 +1,4 @@ - input: "\ud840\udd26,\ud840\udd27,\ud800\udd26,\ud800\udd27" - JSON parse result is correct: 𠄦,𠄧,𐄦,𐄧 - PASS -+{ "k0": 0, "k1": 1, "k2": 2, "k3": 3, "k4": 4, "k5": 5, "k6": 6, "k7": 7, "k8": 8, "k9": 9, "k10": 10, "k11": 11, "k12": 12, "k13": 13, "k14": 14, "k15": 15, "k16": 16, "k17": 17, "k18": 18, "k19": 19, "k20": 20, "k21": 21, "k22": 22, "k23": 23, "k24": 24, "k25": 25, "k26": 26, "k27": 27, "k28": 28, "k29": 29, "k30": 30, "k31": 31, "k32": 32, "k33": 33, "k34": 34, "k35": 35, "k36": 36, "k37": 37, "k38": 38, "k39": 39, "k40": 40, "k41": 41, "k42": 42, "k43": 43, "k44": 44, "k45": 45, "k4 [...] diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index bb52eea..a9d4b84 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -1056,7 +1056,7 @@ data.") (define-public json-c (package (name "json-c") - (version "0.14") + (version "0.15") (source (origin (method url-fetch) (uri (string-append @@ -1064,8 +1064,7 @@ data.") version ".tar.gz")) (sha256 (base32 - "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk")) - (patches (search-patches "json-c-CVE-2020-12762.patch")))) + "1im484iz08j3gmzpw07v16brwq46pxxj65i996kkp2vivcfhmn5q")))) (build-system cmake-build-system) (home-page "https://github.com/json-c/json-c/wiki";) (synopsis "JSON implementation in C")
