Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Control: tag -1 confirmed On Tue, Apr 09, 2024 at 04:36:05AM +0300, Maytham Alsudany wrote: > Thank you for your feedback, attached is a revised debdiff. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Ping! Could someone please have a look at and approve the bookworm-pu for cjson?
The debdiff was changed a while back, and it is attached in this mail.
Kind regards,
Maytham
On Mon, 2024-04-08 at 12:27 +0300, Maytham Alsudany wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: cj...@packages.debian.org
> Control: affects -1 + src:cjson
>
> [ Reason ]
> CVE-2023-50472, CVE-2023-50471
>
> [ Impact ]
> Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
>
> [ Tests ]
> Upstream's test continue to pass, and they have also added new tests to
> cover this security issue.
>
> [ Risks ]
> Minimal, no change to API. Only minimal changes were made to fix this
> security issue.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> - Set myself as Maintainer (I am adopting the package, #1067510)
> - Bump Standards-Version to 4.6.2
> - Add Build-Depends-Package to symbools
> - Backport upstream's patch to 'add NULL checkings'.
> Upstream adds a few more if statements to avoid the segmentation
> fault, and thus resolve the security vulnerability.
>
> [ Other info ]
> If you can spare the time, could you please upload this for me? (I need
> a sponsor, #1068624.) I'm also still waiting for someone to give me
> access to the Salsa repo.
>
> Thanks,
> Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.0 +0300
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+
+ -- Maytham Alsudany Tue, 09 Apr 2024 04:30:29 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++if (after_inserted != array->child && newitem->prev == NULL) {
++/* return false if after_inserted is a corrupted array item */
++return false;
++}
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++cJSON *array = cJSON_CreateArray();
++cJSON *item1 = cJSON_CreateString("item1");
++cJSON *item2 = cJSON_CreateString("corrupted array item3");
++cJSON *corruptedString = cJSON_CreateString("corrupted");
++struct cJSON *originalPrev;
++
++add_item_to_array(array, item1);
++add_item_to_array(array, item2);
++
++originalPrev = item2->prev;
++item2->prev =
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Hi Salvatore,
On Mon, 2024-04-08 at 21:13 +0200, Salvatore Bonaccorso wrote:
> > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
> > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
> > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300
> > @@ -1,3 +1,13 @@
> > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
>
> The target distribution should be simply bookworm.
I had already changed that but forgot to update the debdiff :)
> > +
> > + * Update Maintainer field
> > + * Bump Standards-Version to 4.6.2 (no changes)
>
> This is usually not allowed to do in a stable update.
>
> > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
> > +(Closes: #1059287)
> > + * Add Build-Depends-Package to symbols
>
> While this might be sensible, I'm not sure if SRM will accept it.
>
> So you might want to adjust already the things above and seek for an
> ack from SRM.
Thank you for your feedback, attached is a revised debdiff.
Kind regards,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.0 +0300
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+
+ -- Maytham Alsudany Tue, 09 Apr 2024 04:30:29 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++if (after_inserted != array->child && newitem->prev == NULL) {
++/* return false if after_inserted is a corrupted array item */
++return false;
++}
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++cJSON *array = cJSON_CreateArray();
++cJSON *item1 = cJSON_CreateString("item1");
++cJSON *item2 = cJSON_CreateString("corrupted array item3");
++cJSON *corruptedString = cJSON_CreateString("corrupted");
++struct cJSON *originalPrev;
++
++add_item_to_array(array, item1);
++add_item_to_array(array, item2);
++
++originalPrev = item2->prev;
++item2->prev = NULL;
++free(corruptedString->valuestring);
++corruptedString->valuestring = NULL;
+
+ cJSON_InitHooks(NULL);
+ TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+ cJSON_DeleteItemFromObject(item, NULL);
+ cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+ cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Hi, Disclaimer, this is not an authoritative answer as I'm not part of the stable release managers. On Mon, Apr 08, 2024 at 12:27:50PM +0300, Maytham Alsudany wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: cj...@packages.debian.org > Control: affects -1 + src:cjson > > [ Reason ] > CVE-2023-50472, CVE-2023-50471 > > [ Impact ] > Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c > > [ Tests ] > Upstream's test continue to pass, and they have also added new tests to > cover this security issue. > > [ Risks ] > Minimal, no change to API. Only minimal changes were made to fix this > security issue. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - Set myself as Maintainer (I am adopting the package, #1067510) > - Bump Standards-Version to 4.6.2 > - Add Build-Depends-Package to symbools > - Backport upstream's patch to 'add NULL checkings'. > Upstream adds a few more if statements to avoid the segmentation > fault, and thus resolve the security vulnerability. > > [ Other info ] > If you can spare the time, could you please upload this for me? (I need > a sponsor, #1068624.) I'm also still waiting for someone to give me > access to the Salsa repo. > > Thanks, > Maytham > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300 > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300 > @@ -1,3 +1,13 @@ > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium The target distribution should be simply bookworm. > + > + * Update Maintainer field > + * Bump Standards-Version to 4.6.2 (no changes) This is usually not allowed to do in a stable update. > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) > +(Closes: #1059287) > + * Add Build-Depends-Package to symbols While this might be sensible, I'm not sure if SRM will accept it. So you might want to adjust already the things above and seek for an ack from SRM. Regards, Salvatore
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cj...@packages.debian.org
Control: affects -1 + src:cjson
[ Reason ]
CVE-2023-50472, CVE-2023-50471
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
[ Tests ]
Upstream's test continue to pass, and they have also added new tests to
cover this security issue.
[ Risks ]
Minimal, no change to API. Only minimal changes were made to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Set myself as Maintainer (I am adopting the package, #1067510)
- Bump Standards-Version to 4.6.2
- Add Build-Depends-Package to symbools
- Backport upstream's patch to 'add NULL checkings'.
Upstream adds a few more if statements to avoid the segmentation
fault, and thus resolve the security vulnerability.
[ Other info ]
If you can spare the time, could you please upload this for me? (I need
a sponsor, #1068624.) I'm also still waiting for someone to give me
access to the Salsa repo.
Thanks,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300
@@ -1,3 +1,13 @@
+cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
+
+ * Update Maintainer field
+ * Bump Standards-Version to 4.6.2 (no changes)
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+ * Add Build-Depends-Package to symbols
+
+ -- Maytham Alsudany Wed, 03 Apr 2024 06:57:10 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control
--- cjson-1.7.15/debian/control 2021-08-29 23:29:57.0 +0300
+++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.0 +0300
@@ -1,10 +1,10 @@
Source: cjson
Section: libs
Priority: optional
-Maintainer: Boyuan Yang
+Maintainer: Maytham Alsudany
Build-Depends: cmake, debhelper-compat (= 13)
Rules-Requires-Root: no
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/DaveGamble/cJSON
Vcs-Git: https://salsa.debian.org/debian/cjson.git
Vcs-Browser: https://salsa.debian.org/debian/cjson
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf2024-04-03 06:56:58.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/libcjson1.symbols
cjson-1.7.15/debian/libcjson1.symbols
--- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.0
+0300
+++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.0
+0300
@@ -1,4 +1,5 @@
libcjson.so.1 libcjson1 #MINVER#
+* Build-Depends-Package: libcjson-dev
cJSON_AddArrayToObject@Base 1.7.5
cJSON_AddBoolToObject@Base 1.7.5
cJSON_AddFalseToObject@Base 1.7.5
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01
03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03
06:51:36.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport,
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it
should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type &
cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return
