Ping! Could someone please have a look at and approve the bookworm-pu for cjson? The debdiff was changed a while back, and it is attached in this mail.
Kind regards, Maytham On Mon, 2024-04-08 at 12:27 +0300, Maytham Alsudany wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: cj...@packages.debian.org > Control: affects -1 + src:cjson > > [ Reason ] > CVE-2023-50472, CVE-2023-50471 > > [ Impact ] > Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c > > [ Tests ] > Upstream's test continue to pass, and they have also added new tests to > cover this security issue. > > [ Risks ] > Minimal, no change to API. Only minimal changes were made to fix this > security issue. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - Set myself as Maintainer (I am adopting the package, #1067510) > - Bump Standards-Version to 4.6.2 > - Add Build-Depends-Package to symbools > - Backport upstream's patch to 'add NULL checkings'. > Upstream adds a few more if statements to avoid the segmentation > fault, and thus resolve the security vulnerability. > > [ Other info ] > If you can spare the time, could you please upload this for me? (I need > a sponsor, #1068624.) I'm also still waiting for someone to give me > access to the Salsa repo. > > Thanks, > Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 +++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.000000000 +0300 @@ -1,3 +1,11 @@ +cjson (1.7.15-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) + (Closes: #1059287) + + -- Maytham Alsudany <maytha8the...@gmail.com> Tue, 09 Apr 2024 04:30:29 +0300 + cjson (1.7.15-1) unstable; urgency=medium * New upstream release 1.7.15. diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf --- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bookworm diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch --- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1,101 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 +From: Peter Alfred Lee <peter...@apache.com> +Bug: https://github.com/DaveGamble/cJSON/issues/803 +Bug: https://github.com/DaveGamble/cJSON/issues/802 +Bug-Debian: https://bugs.debian.org/1059287 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] add NULL checkings (#809) + * add NULL checks in cJSON_SetValuestring + Fixes #803(CVE-2023-50472) + . + * add NULL check in cJSON_InsertItemInArray + Fixes #802(CVE-2023-50471) + . + * add tests for NULL checks + add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring + +--- a/cJSON.c ++++ b/cJSON.c +@@ -401,7 +401,12 @@ + { + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ +- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ { ++ return NULL; ++ } ++ /* return NULL if the object is corrupted */ ++ if (object->valuestring == NULL) + { + return NULL; + } +@@ -2260,7 +2265,7 @@ + { + cJSON *after_inserted = NULL; + +- if (which < 0) ++ if (which < 0 || newitem == NULL) + { + return false; + } +@@ -2271,6 +2276,11 @@ + return add_item_to_array(array, newitem); + } + ++ if (after_inserted != array->child && newitem->prev == NULL) { ++ /* return false if after_inserted is a corrupted array item */ ++ return false; ++ } ++ + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -353,6 +353,19 @@ + { + char buffer[10]; + cJSON *item = cJSON_CreateString("item"); ++ cJSON *array = cJSON_CreateArray(); ++ cJSON *item1 = cJSON_CreateString("item1"); ++ cJSON *item2 = cJSON_CreateString("corrupted array item3"); ++ cJSON *corruptedString = cJSON_CreateString("corrupted"); ++ struct cJSON *originalPrev; ++ ++ add_item_to_array(array, item1); ++ add_item_to_array(array, item2); ++ ++ originalPrev = item2->prev; ++ item2->prev = NULL; ++ free(corruptedString->valuestring); ++ corruptedString->valuestring = NULL; + + cJSON_InitHooks(NULL); + TEST_ASSERT_NULL(cJSON_Parse(NULL)); +@@ -412,6 +425,8 @@ + cJSON_DeleteItemFromObject(item, NULL); + cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item"); + cJSON_DeleteItemFromObjectCaseSensitive(item, NULL); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL)); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL)); + TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item)); +@@ -428,10 +443,16 @@ + TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true)); + TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false)); + TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); + cJSON_Minify(NULL); + /* skipped because it is only used via a macro that checks for NULL */ + /* cJSON_SetNumberHelper(NULL, 0); */ + ++ /* restore corrupted item2 to delete it */ ++ item2->prev = originalPrev; ++ cJSON_Delete(corruptedString); ++ cJSON_Delete(array); + cJSON_Delete(item); + } + diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series --- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/series 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1 @@ +0001-add-null-checkings.patch
signature.asc
Description: This is a digitally signed message part
