[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036456: marked as done (unblock: libfastjson/1.2304.0-1)

Your message dated Tue, 23 May 2023 18:56:27 +0200
with message-id <13f152e9-11bb-0b7d-d8bc-ce8746106242@debian.org>
and subject line Re: Bug#1036456: unblock: libfastjson/1.2304.0-1
has caused the Debian Bug report #1036456,
regarding unblock: libfastjson/1.2304.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036456
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libfastjson@packages.debian.org, biebl@debian.org
Control: affects -1 + libfastjson

Please unblock package libfastjson

A new upstream version of libfastjson fixes a security bug
(CVE-2020-12762, #1035302). They also changed the release numbering,
hence the seemingly huge jump, but the actual diff is quite small.

[ Reason ]
"Prevent signed integer overflows with large buffers", as upstream
states inline, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302>.

[ Impact ]
Without this change the above vulnerability remains. However, according
to upstream rsyslog - the main and almost sole user of this library -
was not affected anyways due to size limits.

[ Tests ]
There is some coverage via upstream's tests/test_printbuf.c that is run
during build time. The code in question is also tested in json-c, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.

[ Risks ]
Via rsyslog this library is a key package. However, the new code merely
adds some straightforward checks against signed integer overflows, which
are already part of json-c in buster, bullseye, bookworm, and sid, cf.
<https://security-tracker.debian.org/tracker/CVE-2020-12762>.
The new libfastjson release has entered unstable 18 days ago, and so far
no bugs seem to have surfaced due to this change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them (disclaimer below)
  [x] attach debdiff against the package in testing

I am not the package maintainer but merely the bug submitter. However,
Michael expressed he wouldn't object if I want to pursue this, cf.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035302#19>.

unblock libfastjson/1.2304.0-1

diff -Nru libfastjson-0.99.9/ChangeLog libfastjson-1.2304.0/ChangeLog
--- libfastjson-0.99.9/ChangeLog	2021-01-25 13:52:55.000000000 +0100
+++ libfastjson-1.2304.0/ChangeLog	2023-04-17 15:51:20.000000000 +0200
@@ -1,3 +1,8 @@
+1.2304.0, 2023-04-18
+- change of release number scheme, now like rsyslog
+- fix Fix CVE-2020-12762
+  Note: the CVE did not affect rsyslog use due to size limits
+  Thanks to Wang Haitao for the patch.
 0.99.9 2021-01-26
 - add API fjson_object_get_uint()
   Thanks to Janmejay Singh for contributing the patch.
diff -Nru libfastjson-0.99.9/configure libfastjson-1.2304.0/configure
--- libfastjson-0.99.9/configure	2021-01-25 13:53:09.000000000 +0100
+++ libfastjson-1.2304.0/configure	2023-04-17 15:54:00.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9.
+# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0.
 #
 # Report bugs to <rsyslog@lists.adiscon.com>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='libfastjson'
 PACKAGE_TARNAME='libfastjson'
-PACKAGE_VERSION='0.99.9'
-PACKAGE_STRING='libfastjson 0.99.9'
+PACKAGE_VERSION='1.2304.0'
+PACKAGE_STRING='libfastjson 1.2304.0'
 PACKAGE_BUGREPORT='rsyslog@lists.adiscon.com'
 PACKAGE_URL=''
 
@@ -1336,7 +1336,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems.
+\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1407,7 +1407,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libfastjson 0.99.9:";;
+     short | recursive ) echo "Configuration of libfastjson 1.2304.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1525,7 +1525,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libfastjson configure 0.99.9
+libfastjson configure 1.2304.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1948,7 +1948,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libfastjson $as_me 0.99.9, which was
+It was created by libfastjson $as_me 1.2304.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2838,7 +2838,7 @@
 
 # Define the identity of the package.
  PACKAGE='libfastjson'
- VERSION='0.99.9'
+ VERSION='1.2304.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -15280,7 +15280,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libfastjson $as_me 0.99.9, which was
+This file was extended by libfastjson $as_me 1.2304.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -15346,7 +15346,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libfastjson config.status 0.99.9
+libfastjson config.status 1.2304.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libfastjson-0.99.9/configure.ac libfastjson-1.2304.0/configure.ac
--- libfastjson-0.99.9/configure.ac	2021-01-25 13:52:55.000000000 +0100
+++ libfastjson-1.2304.0/configure.ac	2023-04-17 15:53:41.000000000 +0200
@@ -1,7 +1,7 @@
 AC_PREREQ(2.52)
 
 # Process this file with autoconf to produce a configure script.
-AC_INIT([libfastjson], [0.99.9], [rsyslog@lists.adiscon.com])
+AC_INIT([libfastjson], [1.2304.0], [rsyslog@lists.adiscon.com])
 # AIXPORT START: Detect the underlying OS
 unamestr=$(uname)
 AM_CONDITIONAL([AIX], [test x$unamestr = xAIX])
diff -Nru libfastjson-0.99.9/debian/changelog libfastjson-1.2304.0/debian/changelog
--- libfastjson-0.99.9/debian/changelog	2022-09-02 13:02:31.000000000 +0200
+++ libfastjson-1.2304.0/debian/changelog	2023-05-03 12:48:03.000000000 +0200
@@ -1,3 +1,13 @@
+libfastjson (1.2304.0-1) unstable; urgency=medium
+
+  * New upstream version 1.2304.0
+    - Fixes integer overflow and out-of-bounds write via a large JSON file.
+      This issue was originally found in the json-c library.
+      (CVE-2020-12762, Closes: #1035302)
+  * Bump Standards-Version to 4.6.2
+
+ -- Michael Biebl <biebl@debian.org>  Wed, 03 May 2023 12:48:03 +0200
+
 libfastjson (0.99.9-2) unstable; urgency=medium
 
   * Enable all hardening build flags
diff -Nru libfastjson-0.99.9/debian/control libfastjson-1.2304.0/debian/control
--- libfastjson-0.99.9/debian/control	2022-09-02 13:02:31.000000000 +0200
+++ libfastjson-1.2304.0/debian/control	2023-05-03 12:48:03.000000000 +0200
@@ -4,7 +4,7 @@
 Maintainer: Michael Biebl <biebl@debian.org>
 Build-Depends: debhelper-compat (= 13),
                pkg-config
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/libfastjson.git
 Vcs-Browser: https://salsa.debian.org/debian/libfastjson
diff -Nru libfastjson-0.99.9/printbuf.c libfastjson-1.2304.0/printbuf.c
--- libfastjson-0.99.9/printbuf.c	2021-01-25 13:00:57.000000000 +0100
+++ libfastjson-1.2304.0/printbuf.c	2023-03-30 11:53:47.000000000 +0200
@@ -13,6 +13,7 @@
 
 #include "config.h"
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -68,9 +69,16 @@
 	if (p->size >= min_size)
 		return 0;
 
-	new_size = p->size * 2;
-	if (new_size < min_size + 8)
-		new_size =  min_size + 8;
+	/* Prevent signed integer overflows with large buffers. */
+	if (min_size > INT_MAX - 8)
+		return -1;
+	if (p->size > INT_MAX / 2)
+		new_size = min_size + 8;
+	else {
+		new_size = p->size * 2;
+		if (new_size < min_size + 8)
+			new_size = min_size + 8;
+	}
 #ifdef PRINTBUF_DEBUG
 	MC_DEBUG("printbuf_memappend: realloc "
 	  "bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -85,6 +93,9 @@
 
 int printbuf_memappend(struct printbuf *p, const char *buf, int size)
 {
+	/* Prevent signed integer overflows with large buffers. */
+	if (size > INT_MAX - p->bpos - 1)
+		return -1;
 	if (p->size <= p->bpos + size + 1) {
 		if (printbuf_extend(p, p->bpos + size + 1) < 0)
 			return -1;
@@ -136,6 +147,9 @@
 
 	if (offset == -1)
 		offset = pb->bpos;
+	/* Prevent signed integer overflows with large buffers. */
+	if (len > INT_MAX - offset)
+		return -1;
 	size_needed = offset + len;
 	if (pb->size < size_needed)
 	{

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Hi,

On 21-05-2023 14:57, Florian Ernst wrote:

unblock libfastjson/1.2304.0-1


unblocked

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: