[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926484: unblock: gpsd/3.17-6

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi release-team,

please unblock package gpsd.

The applied diff was discussed with the release team and we've
decided its the best way to fix the json related fixes.
Diff between 3.17-5 und 3.17-6 is attached to this mail.


  * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
    buffer overflow, which may allow remote attackers to execute
    arbitrary code on embedded platforms via traffic on Port
    2947/TCP or crafted JSON inputs.
    CVE-2018-17937 / Closes: #925327
    The update also fixes several other json parser bugs.
    - ECMA-404 says JSON \u must have 4 hex digits
    - Allow for \u escapes with fewer than 4 digits.
    - Fail on bad escape string.


unblock gpsd/3.17-6


Thanks,

Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

diff --git a/debian/changelog b/debian/changelog
index ebd29108b..16bb69795 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+gpsd (3.17-6) unstable; urgency=medium
+
+  * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
+    buffer overflow, which may allow remote attackers to execute
+    arbitrary code on embedded platforms via traffic on Port
+    2947/TCP or crafted JSON inputs.
+    CVE-2018-17937 / Closes: #925327
+    The update also fixes several other json parser bugs.
+    - ECMA-404 says JSON \u must have 4 hex digits
+    - Allow for \u escapes with fewer than 4 digits.
+    - Fail on bad escape string.
+  * [71020f4f] Update git-buildpackage config to build from the
+    buster branch.
+
+ -- Bernd Zeimetz <bzed@debian.org>  Fri, 05 Apr 2019 23:31:30 +0200
+
 gpsd (3.17-5) unstable; urgency=medium
 
   * [fd1e83f9] Add pkg-config as Build-Dependency.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 1529a93db..151b02d6b 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -4,7 +4,7 @@
 # the default branch for upstream sources:
 #upstream-branch = upstream
 # the default branch for the debian patch:
-#debian-branch = master
+debian-branch = buster
 # the default tag formats used:
 #upstream-tag = upstream/%(version)s
 #debian-tag = debian/%(version)s
diff --git a/debian/patches/json-cve-fix b/debian/patches/json-cve-fix
new file mode 100644
index 000000000..e81237bee
--- /dev/null
+++ b/debian/patches/json-cve-fix
@@ -0,0 +1,170 @@
+--- a/json.c
++++ b/json.c
+@@ -30,7 +30,7 @@ will match the right spec against the ac
+ recognize the JSON "null" value.  Secondly, arrays may not have
+ character values as elements (this limitation could be easily removed
+ if required). Third, all elements of an array must be of the same
+-type.
++type.  Fourth, it can not handle NaN's in doubles (Issue 53150).
+ 
+    There are separate entry points for beginning a parse of either
+ JSON object or a JSON array. JSON "float" quantities are actually
+@@ -59,7 +59,7 @@ reusable module; search for "microjson".
+ 
+ PERMISSIONS
+    This file is Copyright (c) 2010 by the GPSD project
+-   BSD terms apply: see the file COPYING in the distribution root for details.
++   SPDX-License-Identifier: BSD-2-clause
+ 
+ ***************************************************************************/
+ #include <stdio.h>
+@@ -188,7 +188,7 @@ static int json_internal_read_object(con
+     char *lptr;
+ 
+     if (end != NULL)
+-	*end = NULL;		/* give it a well-defined value on parse failure */
++	*end = NULL;	/* give it a well-defined value on parse failure */
+ 
+     /* stuff fields with defaults in case they're omitted in the JSON input */
+     for (cursor = attrs; cursor->attribute != NULL; cursor++)
+@@ -294,7 +294,8 @@ static int json_internal_read_object(con
+ 		}
+ 		if (cursor->attribute == NULL) {
+ 		    json_debug_trace((1,
+-				      "Unknown attribute name '%s' (attributes begin with '%s').\n",
++				      "Unknown attribute name '%s'"
++                                      " (attributes begin with '%s').\n",
+ 				      attrbuf, attrs->attribute));
+ 		    /* don't update end here, leave at attribute start */
+ 		    return JSON_ERR_BADATTR;
+@@ -374,6 +375,12 @@ static int json_internal_read_object(con
+ 	    if (pval == NULL)
+ 		/* don't update end here, leave at value start */
+ 		return JSON_ERR_NULLPTR;
++	    else if (pval > valbuf + JSON_VAL_MAX - 1
++		       || pval > valbuf + maxlen) {
++		json_debug_trace((1, "String value too long.\n"));
++		/* don't update end here, leave at value start */
++		return JSON_ERR_STRLONG;	/*  */
++	    }
+ 	    switch (*cp) {
+ 	    case 'b':
+ 		*pval++ = '\b';
+@@ -391,11 +398,16 @@ static int json_internal_read_object(con
+ 		*pval++ = '\t';
+ 		break;
+ 	    case 'u':
+-		for (n = 0; n < 4 && cp[n] != '\0'; n++)
++                cp++;                   /* skip the 'u' */
++		for (n = 0; n < 4 && isxdigit(*cp); n++)
+ 		    uescape[n] = *cp++;
++                uescape[n] = '\0';      /* terminate */
+ 		--cp;
+-		(void)sscanf(uescape, "%04x", &u);
+-		*pval++ = (char)u;	/* will truncate values above 0xff */
++                /* ECMA-404 says JSON \u must have 4 hex digits */
++		if ((4 != n) || (1 != sscanf(uescape, "%4x", &u))) {
++		    return JSON_ERR_BADSTRING;
++                }
++		*pval++ = (unsigned char)u;  /* truncate values above 0xff */
+ 		break;
+ 	    default:		/* handles double quote and solidus */
+ 		*pval++ = *cp;
+@@ -432,7 +444,8 @@ static int json_internal_read_object(con
+ 	     */
+ 	    for (;;) {
+ 		int seeking = cursor->type;
+-		if (value_quoted && (cursor->type == t_string || cursor->type == t_time))
++		if (value_quoted && (cursor->type == t_string
++                    || cursor->type == t_time))
+ 		    break;
+ 		if ((strcmp(valbuf, "true")==0 || strcmp(valbuf, "false")==0)
+ 			&& seeking == t_boolean)
+@@ -441,7 +454,8 @@ static int json_internal_read_object(con
+ 		    bool decimal = strchr(valbuf, '.') != NULL;
+ 		    if (decimal && seeking == t_real)
+ 			break;
+-		    if (!decimal && (seeking == t_integer || seeking == t_uinteger))
++		    if (!decimal && (seeking == t_integer
++                                     || seeking == t_uinteger))
+ 			break;
+ 		}
+ 		if (cursor[1].attribute==NULL)	/* out of possiblities */
+@@ -454,15 +468,15 @@ static int json_internal_read_object(con
+ 		&& (cursor->type != t_string && cursor->type != t_character
+ 		    && cursor->type != t_check && cursor->type != t_time
+ 		    && cursor->type != t_ignore && cursor->map == 0)) {
+-		json_debug_trace((1,
+-				  "Saw quoted value when expecting non-string.\n"));
++		json_debug_trace((1, "Saw quoted value when expecting"
++                                  " non-string.\n"));
+ 		return JSON_ERR_QNONSTRING;
+ 	    }
+ 	    if (!value_quoted
+ 		&& (cursor->type == t_string || cursor->type == t_check
+ 		    || cursor->type == t_time || cursor->map != 0)) {
+-		json_debug_trace((1,
+-				  "Didn't see quoted value when expecting string.\n"));
++		json_debug_trace((1, "Didn't see quoted value when expecting"
++                                  " string.\n"));
+ 		return JSON_ERR_NONQSTRING;
+ 	    }
+ 	    if (cursor->map != 0) {
+@@ -542,14 +556,15 @@ static int json_internal_read_object(con
+ 		    break;
+ 		case t_check:
+ 		    if (strcmp(cursor->dflt.check, valbuf) != 0) {
+-			json_debug_trace((1,
+-					  "Required attribute value %s not present.\n",
++			json_debug_trace((1, "Required attribute value %s"
++                                          " not present.\n",
+ 					  cursor->dflt.check));
+ 			/* don't update end here, leave at start of attribute */
+ 			return JSON_ERR_CHECKFAIL;
+ 		    }
+ 		    break;
+ 		}
++	    __attribute__ ((fallthrough));
+ 	case post_array:
+ 	    if (isspace((unsigned char) *cp))
+ 		continue;
+@@ -587,7 +602,7 @@ int json_read_array(const char *cp, cons
+     char *tp;
+ 
+     if (end != NULL)
+-	*end = NULL;		/* give it a well-defined value on parse failure */
++	*end = NULL;	/* give it a well-defined value on parse failure */
+ 
+     json_debug_trace((1, "Entered json_read_array()\n"));
+ 
+@@ -663,7 +678,8 @@ int json_read_array(const char *cp, cons
+ #endif /* JSON_MINIMAL */
+ 	case t_uinteger:
+ #ifndef JSON_MINIMAL
+-	    arr->arr.uintegers.store[offset] = (unsigned int)strtoul(cp, &ep, 0);
++	    arr->arr.uintegers.store[offset] = (unsigned int)strtoul(cp,
++                                                                     &ep, 0);
+ 	    if (ep == cp)
+ 		return JSON_ERR_BADNUM;
+ 	    else
+@@ -681,7 +697,8 @@ int json_read_array(const char *cp, cons
+ #endif /* JSON_MINIMAL */
+ 	case t_ushort:
+ #ifndef JSON_MINIMAL
+-	    arr->arr.ushorts.store[offset] = (unsigned short)strtoul(cp, &ep, 0);
++	    arr->arr.ushorts.store[offset] = (unsigned short)strtoul(cp,
++                                                                     &ep, 0);
+ 	    if (ep == cp)
+ 		return JSON_ERR_BADNUM;
+ 	    else
+--- a/json.h
++++ b/json.h
+@@ -1,7 +1,7 @@
+ /* Structures for JSON parsing using only fixed-extent memory
+  *
+  * This file is Copyright (c) 2010 by the GPSD project
+- * BSD terms apply: see the file COPYING in the distribution root for details.
++ * SPDX-License-Identifier: BSD-2-clause
+  */
+ 
+ #include <stdbool.h>
diff --git a/debian/patches/series b/debian/patches/series
index 81b0806da..d0e0a4c91 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 full-systemd-support
 gpsd_hotplug_rules_disable_generic_serial_converters
 ed205512d_Fixes-SConstruct-for-SCons-3.0.0
+json-cve-fix
Reply to: