Tony Mancill pushed to branch master at Debian Java Maintainers / libjettison-java
Commits: 798881a2 by tony mancill at 2023-06-11T15:35:52-07:00 New upstream version 1.5.4 - - - - - ce88e4f9 by tony mancill at 2023-06-11T15:35:52-07:00 Update upstream source from tag 'upstream/1.5.4' Update to upstream version '1.5.4' with Debian dir bb558fd56d5a435bfc5cca60c06aab9588271e0f - - - - - 339efba6 by tony mancill at 2023-06-11T15:41:53-07:00 Prepare changelog for upload to unstable - - - - - 4 changed files: - debian/changelog - pom.xml - src/main/java/org/codehaus/jettison/json/JSONArray.java - src/test/java/org/codehaus/jettison/json/JSONArrayTest.java Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,12 @@ +libjettison-java (1.5.4-1) unstable; urgency=medium + + * Team upload. + * New upstream version 1.5.4 (Closes: #1033846) + - Fix CVE-2023-1436 - Infinite recursion in Jettison leads + to denial of service when creating a crafted JSONArray + + -- tony mancill <[email protected]> Sun, 11 Jun 2023 15:38:24 -0700 + libjettison-java (1.5.3-1) unstable; urgency=high * Team upload. ===================================== pom.xml ===================================== @@ -2,7 +2,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>org.codehaus.jettison</groupId> <artifactId>jettison</artifactId> - <version>1.5.3</version> + <version>1.5.4</version> <packaging>bundle</packaging> <name>Jettison</name> <description>A StAX implementation for JSON.</description> @@ -31,7 +31,7 @@ <connection>scm:git:http://github.com/jettison-json/jettison.git</connection> <developerConnection>scm:git:https://github.com/jettison-json/jettison.git</developerConnection> <url>https://github.com/jettison-json/jettison</url> - <tag>jettison-1.5.3</tag> + <tag>jettison-1.5.4</tag> </scm> <distributionManagement> <snapshotRepository> ===================================== src/main/java/org/codehaus/jettison/json/JSONArray.java ===================================== @@ -182,22 +182,30 @@ public class JSONArray implements Serializable { * @throws JSONException If there is a syntax error. */ public JSONArray(Collection collection) throws JSONException { + this(collection, 0); + } + + private JSONArray(Collection collection, int recursionDepth) throws JSONException { + if (recursionDepth > JSONObject.getGlobalRecursionDepthLimit()) { + throw new JSONException("JSONArray has reached recursion depth limit of " + + JSONObject.getGlobalRecursionDepthLimit()); + } + this.myArrayList = (collection == null) ? new ArrayList() : new ArrayList(collection); // ensure a pure hierarchy of JSONObjects and JSONArrays for (ListIterator iter = myArrayList.listIterator(); iter.hasNext();) { - Object e = iter.next(); - if (e instanceof Collection) { - iter.set(new JSONArray((Collection) e)); - } - if (e instanceof Map) { - iter.set(new JSONObject((Map) e)); - } - } + Object e = iter.next(); + if (e instanceof Collection) { + iter.set(new JSONArray((Collection) e, recursionDepth + 1)); + } + if (e instanceof Map) { + iter.set(new JSONObject((Map) e)); + } + } } - /** * Get the object value associated with an index. * @param index ===================================== src/test/java/org/codehaus/jettison/json/JSONArrayTest.java ===================================== @@ -2,6 +2,9 @@ package org.codehaus.jettison.json; import junit.framework.TestCase; +import java.util.ArrayList; +import java.util.List; + public class JSONArrayTest extends TestCase { public void testInvalidArraySequence() throws Exception { try { @@ -67,6 +70,18 @@ public class JSONArrayTest extends TestCase { public void testIssue52() throws JSONException { JSONObject.setGlobalRecursionDepthLimit(10); new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]"); + JSONObject.setGlobalRecursionDepthLimit(500); + } + + // https://github.com/jettison-json/jettison/issues/60 + public void testIssue60() throws JSONException { + List<Object> list = new ArrayList<>(); + list.add(list); + try { + new JSONArray(list); + } catch (JSONException ex) { + assertEquals(ex.getMessage(), "JSONArray has reached recursion depth limit of 500"); + } } } View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/compare/c9fa5e7fc6284235c6108a43efb5e4d2b133c697...339efba6e4679cd5e94270fcb0add8b533217cb4 -- View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/compare/c9fa5e7fc6284235c6108a43efb5e4d2b133c697...339efba6e4679cd5e94270fcb0add8b533217cb4 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
