Your message dated Tue, 23 May 2023 18:56:27 +0200 with message-id <13f152e9-11bb-0b7d-d8bc-ce8746106242@debian.org> and subject line Re: Bug#1036456: unblock: libfastjson/1.2304.0-1 has caused the Debian Bug report #1036456, regarding unblock: libfastjson/1.2304.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036456 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libfastjson/1.2304.0-1
- From: Florian Ernst <florian_ernst@gmx.net>
- Date: Sun, 21 May 2023 14:57:11 +0200
- Message-id: <ZGoVJxTle5w/A/W1@fernst.no-ip.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: libfastjson@packages.debian.org, biebl@debian.org Control: affects -1 + libfastjson Please unblock package libfastjson A new upstream version of libfastjson fixes a security bug (CVE-2020-12762, #1035302). They also changed the release numbering, hence the seemingly huge jump, but the actual diff is quite small. [ Reason ] "Prevent signed integer overflows with large buffers", as upstream states inline, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302>. [ Impact ] Without this change the above vulnerability remains. However, according to upstream rsyslog - the main and almost sole user of this library - was not affected anyways due to size limits. [ Tests ] There is some coverage via upstream's tests/test_printbuf.c that is run during build time. The code in question is also tested in json-c, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. [ Risks ] Via rsyslog this library is a key package. However, the new code merely adds some straightforward checks against signed integer overflows, which are already part of json-c in buster, bullseye, bookworm, and sid, cf. <https://security-tracker.debian.org/tracker/CVE-2020-12762>. The new libfastjson release has entered unstable 18 days ago, and so far no bugs seem to have surfaced due to this change. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them (disclaimer below) [x] attach debdiff against the package in testing I am not the package maintainer but merely the bug submitter. However, Michael expressed he wouldn't object if I want to pursue this, cf. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302#19>. unblock libfastjson/1.2304.0-1diff -Nru libfastjson-0.99.9/ChangeLog libfastjson-1.2304.0/ChangeLog --- libfastjson-0.99.9/ChangeLog 2021-01-25 13:52:55.000000000 +0100 +++ libfastjson-1.2304.0/ChangeLog 2023-04-17 15:51:20.000000000 +0200 @@ -1,3 +1,8 @@ +1.2304.0, 2023-04-18 +- change of release number scheme, now like rsyslog +- fix Fix CVE-2020-12762 + Note: the CVE did not affect rsyslog use due to size limits + Thanks to Wang Haitao for the patch. 0.99.9 2021-01-26 - add API fjson_object_get_uint() Thanks to Janmejay Singh for contributing the patch. diff -Nru libfastjson-0.99.9/configure libfastjson-1.2304.0/configure --- libfastjson-0.99.9/configure 2021-01-25 13:53:09.000000000 +0100 +++ libfastjson-1.2304.0/configure 2023-04-17 15:54:00.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9. +# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0. # # Report bugs to <rsyslog@lists.adiscon.com>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='libfastjson' PACKAGE_TARNAME='libfastjson' -PACKAGE_VERSION='0.99.9' -PACKAGE_STRING='libfastjson 0.99.9' +PACKAGE_VERSION='1.2304.0' +PACKAGE_STRING='libfastjson 1.2304.0' PACKAGE_BUGREPORT='rsyslog@lists.adiscon.com' PACKAGE_URL='' @@ -1336,7 +1336,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems. +\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1407,7 +1407,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libfastjson 0.99.9:";; + short | recursive ) echo "Configuration of libfastjson 1.2304.0:";; esac cat <<\_ACEOF @@ -1525,7 +1525,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libfastjson configure 0.99.9 +libfastjson configure 1.2304.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1948,7 +1948,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libfastjson $as_me 0.99.9, which was +It was created by libfastjson $as_me 1.2304.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2838,7 +2838,7 @@ # Define the identity of the package. PACKAGE='libfastjson' - VERSION='0.99.9' + VERSION='1.2304.0' cat >>confdefs.h <<_ACEOF @@ -15280,7 +15280,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libfastjson $as_me 0.99.9, which was +This file was extended by libfastjson $as_me 1.2304.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15346,7 +15346,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libfastjson config.status 0.99.9 +libfastjson config.status 1.2304.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libfastjson-0.99.9/configure.ac libfastjson-1.2304.0/configure.ac --- libfastjson-0.99.9/configure.ac 2021-01-25 13:52:55.000000000 +0100 +++ libfastjson-1.2304.0/configure.ac 2023-04-17 15:53:41.000000000 +0200 @@ -1,7 +1,7 @@ AC_PREREQ(2.52) # Process this file with autoconf to produce a configure script. -AC_INIT([libfastjson], [0.99.9], [rsyslog@lists.adiscon.com]) +AC_INIT([libfastjson], [1.2304.0], [rsyslog@lists.adiscon.com]) # AIXPORT START: Detect the underlying OS unamestr=$(uname) AM_CONDITIONAL([AIX], [test x$unamestr = xAIX]) diff -Nru libfastjson-0.99.9/debian/changelog libfastjson-1.2304.0/debian/changelog --- libfastjson-0.99.9/debian/changelog 2022-09-02 13:02:31.000000000 +0200 +++ libfastjson-1.2304.0/debian/changelog 2023-05-03 12:48:03.000000000 +0200 @@ -1,3 +1,13 @@ +libfastjson (1.2304.0-1) unstable; urgency=medium + + * New upstream version 1.2304.0 + - Fixes integer overflow and out-of-bounds write via a large JSON file. + This issue was originally found in the json-c library. + (CVE-2020-12762, Closes: #1035302) + * Bump Standards-Version to 4.6.2 + + -- Michael Biebl <biebl@debian.org> Wed, 03 May 2023 12:48:03 +0200 + libfastjson (0.99.9-2) unstable; urgency=medium * Enable all hardening build flags diff -Nru libfastjson-0.99.9/debian/control libfastjson-1.2304.0/debian/control --- libfastjson-0.99.9/debian/control 2022-09-02 13:02:31.000000000 +0200 +++ libfastjson-1.2304.0/debian/control 2023-05-03 12:48:03.000000000 +0200 @@ -4,7 +4,7 @@ Maintainer: Michael Biebl <biebl@debian.org> Build-Depends: debhelper-compat (= 13), pkg-config -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/libfastjson.git Vcs-Browser: https://salsa.debian.org/debian/libfastjson diff -Nru libfastjson-0.99.9/printbuf.c libfastjson-1.2304.0/printbuf.c --- libfastjson-0.99.9/printbuf.c 2021-01-25 13:00:57.000000000 +0100 +++ libfastjson-1.2304.0/printbuf.c 2023-03-30 11:53:47.000000000 +0200 @@ -13,6 +13,7 @@ #include "config.h" +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -68,9 +69,16 @@ if (p->size >= min_size) return 0; - new_size = p->size * 2; - if (new_size < min_size + 8) - new_size = min_size + 8; + /* Prevent signed integer overflows with large buffers. */ + if (min_size > INT_MAX - 8) + return -1; + if (p->size > INT_MAX / 2) + new_size = min_size + 8; + else { + new_size = p->size * 2; + if (new_size < min_size + 8) + new_size = min_size + 8; + } #ifdef PRINTBUF_DEBUG MC_DEBUG("printbuf_memappend: realloc " "bpos=%d min_size=%d old_size=%d new_size=%d\n", @@ -85,6 +93,9 @@ int printbuf_memappend(struct printbuf *p, const char *buf, int size) { + /* Prevent signed integer overflows with large buffers. */ + if (size > INT_MAX - p->bpos - 1) + return -1; if (p->size <= p->bpos + size + 1) { if (printbuf_extend(p, p->bpos + size + 1) < 0) return -1; @@ -136,6 +147,9 @@ if (offset == -1) offset = pb->bpos; + /* Prevent signed integer overflows with large buffers. */ + if (len > INT_MAX - offset) + return -1; size_needed = offset + len; if (pb->size < size_needed) {Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Florian Ernst <florian_ernst@gmx.net>, 1036456-done@bugs.debian.org
- Subject: Re: Bug#1036456: unblock: libfastjson/1.2304.0-1
- From: Paul Gevers <elbrus@debian.org>
- Date: Tue, 23 May 2023 18:56:27 +0200
- Message-id: <13f152e9-11bb-0b7d-d8bc-ce8746106242@debian.org>
- In-reply-to: <ZGoVJxTle5w/A/W1@fernst.no-ip.org>
- References: <ZGoVJxTle5w/A/W1@fernst.no-ip.org>
Hi, On 21-05-2023 14:57, Florian Ernst wrote:unblock libfastjson/1.2304.0-1unblocked PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---