Bug#1036456: unblock: libfastjson/1.2304.0-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036456: unblock: libfastjson/1.2304.0-1
From: Florian Ernst <florian_ernst@gmx.net>
Date: Sun, 21 May 2023 14:57:11 +0200
Message-id: <ZGoVJxTle5w/A/W1@fernst.no-ip.org>
Reply-to: Florian Ernst <florian_ernst@gmx.net>, 1036456@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libfastjson@packages.debian.org, biebl@debian.org
Control: affects -1 + libfastjson

Please unblock package libfastjson

A new upstream version of libfastjson fixes a security bug
(CVE-2020-12762, #1035302). They also changed the release numbering,
hence the seemingly huge jump, but the actual diff is quite small.

[ Reason ]
"Prevent signed integer overflows with large buffers", as upstream
states inline, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302>.

[ Impact ]
Without this change the above vulnerability remains. However, according
to upstream rsyslog - the main and almost sole user of this library -
was not affected anyways due to size limits.

[ Tests ]
There is some coverage via upstream's tests/test_printbuf.c that is run
during build time. The code in question is also tested in json-c, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.

[ Risks ]
Via rsyslog this library is a key package. However, the new code merely
adds some straightforward checks against signed integer overflows, which
are already part of json-c in buster, bullseye, bookworm, and sid, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.
The new libfastjson release has entered unstable 18 days ago, and so far
no bugs seem to have surfaced due to this change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them (disclaimer below)
  [x] attach debdiff against the package in testing

I am not the package maintainer but merely the bug submitter. However,
Michael expressed he wouldn't object if I want to pursue this, cf.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302#19>.

unblock libfastjson/1.2304.0-1

diff -Nru libfastjson-0.99.9/ChangeLog libfastjson-1.2304.0/ChangeLog
--- libfastjson-0.99.9/ChangeLog	2021-01-25 13:52:55.000000000 +0100
+++ libfastjson-1.2304.0/ChangeLog	2023-04-17 15:51:20.000000000 +0200
@@ -1,3 +1,8 @@
+1.2304.0, 2023-04-18
+- change of release number scheme, now like rsyslog
+- fix Fix CVE-2020-12762
+  Note: the CVE did not affect rsyslog use due to size limits
+  Thanks to Wang Haitao for the patch.
 0.99.9 2021-01-26
 - add API fjson_object_get_uint()
   Thanks to Janmejay Singh for contributing the patch.
diff -Nru libfastjson-0.99.9/configure libfastjson-1.2304.0/configure
--- libfastjson-0.99.9/configure	2021-01-25 13:53:09.000000000 +0100
+++ libfastjson-1.2304.0/configure	2023-04-17 15:54:00.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9.
+# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0.
 #
 # Report bugs to <rsyslog@lists.adiscon.com>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='libfastjson'
 PACKAGE_TARNAME='libfastjson'
-PACKAGE_VERSION='0.99.9'
-PACKAGE_STRING='libfastjson 0.99.9'
+PACKAGE_VERSION='1.2304.0'
+PACKAGE_STRING='libfastjson 1.2304.0'
 PACKAGE_BUGREPORT='rsyslog@lists.adiscon.com'
 PACKAGE_URL=''
 
@@ -1336,7 +1336,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems.
+\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1407,7 +1407,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libfastjson 0.99.9:";;
+     short | recursive ) echo "Configuration of libfastjson 1.2304.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1525,7 +1525,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libfastjson configure 0.99.9
+libfastjson configure 1.2304.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1948,7 +1948,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libfastjson $as_me 0.99.9, which was
+It was created by libfastjson $as_me 1.2304.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2838,7 +2838,7 @@
 
 # Define the identity of the package.
  PACKAGE='libfastjson'
- VERSION='0.99.9'
+ VERSION='1.2304.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -15280,7 +15280,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libfastjson $as_me 0.99.9, which was
+This file was extended by libfastjson $as_me 1.2304.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -15346,7 +15346,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libfastjson config.status 0.99.9
+libfastjson config.status 1.2304.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libfastjson-0.99.9/configure.ac libfastjson-1.2304.0/configure.ac
--- libfastjson-0.99.9/configure.ac	2021-01-25 13:52:55.000000000 +0100
+++ libfastjson-1.2304.0/configure.ac	2023-04-17 15:53:41.000000000 +0200
@@ -1,7 +1,7 @@
 AC_PREREQ(2.52)
 
 # Process this file with autoconf to produce a configure script.
-AC_INIT([libfastjson], [0.99.9], [rsyslog@lists.adiscon.com])
+AC_INIT([libfastjson], [1.2304.0], [rsyslog@lists.adiscon.com])
 # AIXPORT START: Detect the underlying OS
 unamestr=$(uname)
 AM_CONDITIONAL([AIX], [test x$unamestr = xAIX])
diff -Nru libfastjson-0.99.9/debian/changelog libfastjson-1.2304.0/debian/changelog
--- libfastjson-0.99.9/debian/changelog	2022-09-02 13:02:31.000000000 +0200
+++ libfastjson-1.2304.0/debian/changelog	2023-05-03 12:48:03.000000000 +0200
@@ -1,3 +1,13 @@
+libfastjson (1.2304.0-1) unstable; urgency=medium
+
+  * New upstream version 1.2304.0
+    - Fixes integer overflow and out-of-bounds write via a large JSON file.
+      This issue was originally found in the json-c library.
+      (CVE-2020-12762, Closes: #1035302)
+  * Bump Standards-Version to 4.6.2
+
+ -- Michael Biebl <biebl@debian.org>  Wed, 03 May 2023 12:48:03 +0200
+
 libfastjson (0.99.9-2) unstable; urgency=medium
 
   * Enable all hardening build flags
diff -Nru libfastjson-0.99.9/debian/control libfastjson-1.2304.0/debian/control
--- libfastjson-0.99.9/debian/control	2022-09-02 13:02:31.000000000 +0200
+++ libfastjson-1.2304.0/debian/control	2023-05-03 12:48:03.000000000 +0200
@@ -4,7 +4,7 @@
 Maintainer: Michael Biebl <biebl@debian.org>
 Build-Depends: debhelper-compat (= 13),
                pkg-config
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/libfastjson.git
 Vcs-Browser: https://salsa.debian.org/debian/libfastjson
diff -Nru libfastjson-0.99.9/printbuf.c libfastjson-1.2304.0/printbuf.c
--- libfastjson-0.99.9/printbuf.c	2021-01-25 13:00:57.000000000 +0100
+++ libfastjson-1.2304.0/printbuf.c	2023-03-30 11:53:47.000000000 +0200
@@ -13,6 +13,7 @@
 
 #include "config.h"
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -68,9 +69,16 @@
 	if (p->size >= min_size)
 		return 0;
 
-	new_size = p->size * 2;
-	if (new_size < min_size + 8)
-		new_size =  min_size + 8;
+	/* Prevent signed integer overflows with large buffers. */
+	if (min_size > INT_MAX - 8)
+		return -1;
+	if (p->size > INT_MAX / 2)
+		new_size = min_size + 8;
+	else {
+		new_size = p->size * 2;
+		if (new_size < min_size + 8)
+			new_size = min_size + 8;
+	}
 #ifdef PRINTBUF_DEBUG
 	MC_DEBUG("printbuf_memappend: realloc "
 	  "bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -85,6 +93,9 @@
 
 int printbuf_memappend(struct printbuf *p, const char *buf, int size)
 {
+	/* Prevent signed integer overflows with large buffers. */
+	if (size > INT_MAX - p->bpos - 1)
+		return -1;
 	if (p->size <= p->bpos + size + 1) {
 		if (printbuf_extend(p, p->bpos + size + 1) < 0)
 			return -1;
@@ -136,6 +147,9 @@
 
 	if (offset == -1)
 		offset = pb->bpos;
+	/* Prevent signed integer overflows with large buffers. */
+	if (len > INT_MAX - offset)
+		return -1;
 	size_needed = offset + len;
 	if (pb->size < size_needed)
 	{

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: unblock: libfastjson/1.2304.0-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1036456: marked as done (unblock: libfastjson/1.2304.0-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: libfastjson/1.2304.0-1
Next by Date: Processed: your mail
Previous by thread: Bug#1036453: marked as done (unblock: libvirt/9.0.0-4)
Next by thread: Processed: unblock: libfastjson/1.2304.0-1
Index(es):
- Date
- Thread