Bug#926484: marked as done (unblock: gpsd/3.17-6)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#926484: marked as done (unblock: gpsd/3.17-6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 06 Apr 2019 10:45:03 +0000
Message-id: <[🔎] handler.926484.D926484.155454743523545.ackdone@bugs.debian.org>
Reply-to: 926484@bugs.debian.org
References: <E1hCine-0003cD-Ly@respighi.debian.org> <[🔎] 155450185482.16338.12398580167800207828.reportbug@think.wals.bzed.at>

Your message dated Sat, 06 Apr 2019 10:43:50 +0000
with message-id <E1hCine-0003cD-Ly@respighi.debian.org>
and subject line unblock gpsd
has caused the Debian Bug report #926484,
regarding unblock: gpsd/3.17-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926484
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: gpsd/3.17-6
From: Bernd Zeimetz <bzed@debian.org>
Date: Sat, 06 Apr 2019 00:04:14 +0200
Message-id: <[🔎] 155450185482.16338.12398580167800207828.reportbug@think.wals.bzed.at>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi release-team,

please unblock package gpsd.

The applied diff was discussed with the release team and we've
decided its the best way to fix the json related fixes.
Diff between 3.17-5 und 3.17-6 is attached to this mail.


  * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
    buffer overflow, which may allow remote attackers to execute
    arbitrary code on embedded platforms via traffic on Port
    2947/TCP or crafted JSON inputs.
    CVE-2018-17937 / Closes: #925327
    The update also fixes several other json parser bugs.
    - ECMA-404 says JSON \u must have 4 hex digits
    - Allow for \u escapes with fewer than 4 digits.
    - Fail on bad escape string.


unblock gpsd/3.17-6


Thanks,

Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

diff --git a/debian/changelog b/debian/changelog
index ebd29108b..16bb69795 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+gpsd (3.17-6) unstable; urgency=medium
+
+  * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
+    buffer overflow, which may allow remote attackers to execute
+    arbitrary code on embedded platforms via traffic on Port
+    2947/TCP or crafted JSON inputs.
+    CVE-2018-17937 / Closes: #925327
+    The update also fixes several other json parser bugs.
+    - ECMA-404 says JSON \u must have 4 hex digits
+    - Allow for \u escapes with fewer than 4 digits.
+    - Fail on bad escape string.
+  * [71020f4f] Update git-buildpackage config to build from the
+    buster branch.
+
+ -- Bernd Zeimetz <bzed@debian.org>  Fri, 05 Apr 2019 23:31:30 +0200
+
 gpsd (3.17-5) unstable; urgency=medium
 
   * [fd1e83f9] Add pkg-config as Build-Dependency.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 1529a93db..151b02d6b 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -4,7 +4,7 @@
 # the default branch for upstream sources:
 #upstream-branch = upstream
 # the default branch for the debian patch:
-#debian-branch = master
+debian-branch = buster
 # the default tag formats used:
 #upstream-tag = upstream/%(version)s
 #debian-tag = debian/%(version)s
diff --git a/debian/patches/json-cve-fix b/debian/patches/json-cve-fix
new file mode 100644
index 000000000..e81237bee
--- /dev/null
+++ b/debian/patches/json-cve-fix
@@ -0,0 +1,170 @@
+--- a/json.c
++++ b/json.c
+@@ -30,7 +30,7 @@ will match the right spec against the ac
+ recognize the JSON "null" value.  Secondly, arrays may not have
+ character values as elements (this limitation could be easily removed
+ if required). Third, all elements of an array must be of the same
+-type.
++type.  Fourth, it can not handle NaN's in doubles (Issue 53150).
+ 
+    There are separate entry points for beginning a parse of either
+ JSON object or a JSON array. JSON "float" quantities are actually
+@@ -59,7 +59,7 @@ reusable module; search for "microjson".
+ 
+ PERMISSIONS
+    This file is Copyright (c) 2010 by the GPSD project
+-   BSD terms apply: see the file COPYING in the distribution root for details.
++   SPDX-License-Identifier: BSD-2-clause
+ 
+ ***************************************************************************/
+ #include <stdio.h>
+@@ -188,7 +188,7 @@ static int json_internal_read_object(con
+     char *lptr;
+ 
+     if (end != NULL)
+-	*end = NULL;		/* give it a well-defined value on parse failure */
++	*end = NULL;	/* give it a well-defined value on parse failure */
+ 
+     /* stuff fields with defaults in case they're omitted in the JSON input */
+     for (cursor = attrs; cursor->attribute != NULL; cursor++)
+@@ -294,7 +294,8 @@ static int json_internal_read_object(con
+ 		}
+ 		if (cursor->attribute == NULL) {
+ 		    json_debug_trace((1,
+-				      "Unknown attribute name '%s' (attributes begin with '%s').\n",
++				      "Unknown attribute name '%s'"
++                                      " (attributes begin with '%s').\n",
+ 				      attrbuf, attrs->attribute));
+ 		    /* don't update end here, leave at attribute start */
+ 		    return JSON_ERR_BADATTR;
+@@ -374,6 +375,12 @@ static int json_internal_read_object(con
+ 	    if (pval == NULL)
+ 		/* don't update end here, leave at value start */
+ 		return JSON_ERR_NULLPTR;
++	    else if (pval > valbuf + JSON_VAL_MAX - 1
++		       || pval > valbuf + maxlen) {
++		json_debug_trace((1, "String value too long.\n"));
++		/* don't update end here, leave at value start */
++		return JSON_ERR_STRLONG;	/*  */
++	    }
+ 	    switch (*cp) {
+ 	    case 'b':
+ 		*pval++ = '\b';
+@@ -391,11 +398,16 @@ static int json_internal_read_object(con
+ 		*pval++ = '\t';
+ 		break;
+ 	    case 'u':
+-		for (n = 0; n < 4 && cp[n] != '\0'; n++)
++                cp++;                   /* skip the 'u' */
++		for (n = 0; n < 4 && isxdigit(*cp); n++)
+ 		    uescape[n] = *cp++;
++                uescape[n] = '\0';      /* terminate */
+ 		--cp;
+-		(void)sscanf(uescape, "%04x", &u);
+-		*pval++ = (char)u;	/* will truncate values above 0xff */
++                /* ECMA-404 says JSON \u must have 4 hex digits */
++		if ((4 != n) || (1 != sscanf(uescape, "%4x", &u))) {
++		    return JSON_ERR_BADSTRING;
++                }
++		*pval++ = (unsigned char)u;  /* truncate values above 0xff */
+ 		break;
+ 	    default:		/* handles double quote and solidus */
+ 		*pval++ = *cp;
+@@ -432,7 +444,8 @@ static int json_internal_read_object(con
+ 	     */
+ 	    for (;;) {
+ 		int seeking = cursor->type;
+-		if (value_quoted && (cursor->type == t_string || cursor->type == t_time))
++		if (value_quoted && (cursor->type == t_string
++                    || cursor->type == t_time))
+ 		    break;
+ 		if ((strcmp(valbuf, "true")==0 || strcmp(valbuf, "false")==0)
+ 			&& seeking == t_boolean)
+@@ -441,7 +454,8 @@ static int json_internal_read_object(con
+ 		    bool decimal = strchr(valbuf, '.') != NULL;
+ 		    if (decimal && seeking == t_real)
+ 			break;
+-		    if (!decimal && (seeking == t_integer || seeking == t_uinteger))
++		    if (!decimal && (seeking == t_integer
++                                     || seeking == t_uinteger))
+ 			break;
+ 		}
+ 		if (cursor[1].attribute==NULL)	/* out of possiblities */
+@@ -454,15 +468,15 @@ static int json_internal_read_object(con
+ 		&& (cursor->type != t_string && cursor->type != t_character
+ 		    && cursor->type != t_check && cursor->type != t_time
+ 		    && cursor->type != t_ignore && cursor->map == 0)) {
+-		json_debug_trace((1,
+-				  "Saw quoted value when expecting non-string.\n"));
++		json_debug_trace((1, "Saw quoted value when expecting"
++                                  " non-string.\n"));
+ 		return JSON_ERR_QNONSTRING;
+ 	    }
+ 	    if (!value_quoted
+ 		&& (cursor->type == t_string || cursor->type == t_check
+ 		    || cursor->type == t_time || cursor->map != 0)) {
+-		json_debug_trace((1,
+-				  "Didn't see quoted value when expecting string.\n"));
++		json_debug_trace((1, "Didn't see quoted value when expecting"
++                                  " string.\n"));
+ 		return JSON_ERR_NONQSTRING;
+ 	    }
+ 	    if (cursor->map != 0) {
+@@ -542,14 +556,15 @@ static int json_internal_read_object(con
+ 		    break;
+ 		case t_check:
+ 		    if (strcmp(cursor->dflt.check, valbuf) != 0) {
+-			json_debug_trace((1,
+-					  "Required attribute value %s not present.\n",
++			json_debug_trace((1, "Required attribute value %s"
++                                          " not present.\n",
+ 					  cursor->dflt.check));
+ 			/* don't update end here, leave at start of attribute */
+ 			return JSON_ERR_CHECKFAIL;
+ 		    }
+ 		    break;
+ 		}
++	    __attribute__ ((fallthrough));
+ 	case post_array:
+ 	    if (isspace((unsigned char) *cp))
+ 		continue;
+@@ -587,7 +602,7 @@ int json_read_array(const char *cp, cons
+     char *tp;
+ 
+     if (end != NULL)
+-	*end = NULL;		/* give it a well-defined value on parse failure */
++	*end = NULL;	/* give it a well-defined value on parse failure */
+ 
+     json_debug_trace((1, "Entered json_read_array()\n"));
+ 
+@@ -663,7 +678,8 @@ int json_read_array(const char *cp, cons
+ #endif /* JSON_MINIMAL */
+ 	case t_uinteger:
+ #ifndef JSON_MINIMAL
+-	    arr->arr.uintegers.store[offset] = (unsigned int)strtoul(cp, &ep, 0);
++	    arr->arr.uintegers.store[offset] = (unsigned int)strtoul(cp,
++                                                                     &ep, 0);
+ 	    if (ep == cp)
+ 		return JSON_ERR_BADNUM;
+ 	    else
+@@ -681,7 +697,8 @@ int json_read_array(const char *cp, cons
+ #endif /* JSON_MINIMAL */
+ 	case t_ushort:
+ #ifndef JSON_MINIMAL
+-	    arr->arr.ushorts.store[offset] = (unsigned short)strtoul(cp, &ep, 0);
++	    arr->arr.ushorts.store[offset] = (unsigned short)strtoul(cp,
++                                                                     &ep, 0);
+ 	    if (ep == cp)
+ 		return JSON_ERR_BADNUM;
+ 	    else
+--- a/json.h
++++ b/json.h
+@@ -1,7 +1,7 @@
+ /* Structures for JSON parsing using only fixed-extent memory
+  *
+  * This file is Copyright (c) 2010 by the GPSD project
+- * BSD terms apply: see the file COPYING in the distribution root for details.
++ * SPDX-License-Identifier: BSD-2-clause
+  */
+ 
+ #include <stdbool.h>
diff --git a/debian/patches/series b/debian/patches/series
index 81b0806da..d0e0a4c91 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 full-systemd-support
 gpsd_hotplug_rules_disable_generic_serial_converters
 ed205512d_Fixes-SConstruct-for-SCons-3.0.0
+json-cve-fix

--- End Message ---

--- Begin Message ---

To: 926484-done@bugs.debian.org

Subject: unblock gpsd

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 06 Apr 2019 10:43:50 +0000

Message-id: <E1hCine-0003cD-Ly@respighi.debian.org>
Unblocked gpsd.
--- End Message ---

Reply to:

References:
- Bug#926484: unblock: gpsd/3.17-6
  - From: Bernd Zeimetz <bzed@debian.org>

Prev by Date: Bug#926510: unblock: python-scales/1.0.9-2
Next by Date: Bug#926337: marked as done (unblock: notary/0.6.1~ds1-3)
Previous by thread: Bug#926484: unblock: gpsd/3.17-6
Next by thread: Bug#926495: unblock: gnome-gmail/2.6-1
Index(es):
- Date
- Thread