Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cjson@packages.debian.org
Control: affects -1 + src:cjson
[ Reason ]
CVE-2023-50472, CVE-2023-50471
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
[ Tests ]
Upstream's test continue to pass, and they have also added new tests to
cover this security issue.
[ Risks ]
Minimal, no change to API. Only minimal changes were made to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Set myself as Maintainer (I am adopting the package, #1067510)
- Bump Standards-Version to 4.6.2
- Add Build-Depends-Package to symbools
- Backport upstream's patch to 'add NULL checkings'.
Upstream adds a few more if statements to avoid the segmentation
fault, and thus resolve the security vulnerability.
[ Other info ]
If you can spare the time, could you please upload this for me? (I need
a sponsor, #1068624.) I'm also still waiting for someone to give me
access to the Salsa repo.
Thanks,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300
@@ -1,3 +1,13 @@
+cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
+
+ * Update Maintainer field
+ * Bump Standards-Version to 4.6.2 (no changes)
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+ (Closes: #1059287)
+ * Add Build-Depends-Package to symbols
+
+ -- Maytham Alsudany <maytha8thedev@gmail.com> Wed, 03 Apr 2024 06:57:10 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control
--- cjson-1.7.15/debian/control 2021-08-29 23:29:57.000000000 +0300
+++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.000000000 +0300
@@ -1,10 +1,10 @@
Source: cjson
Section: libs
Priority: optional
-Maintainer: Boyuan Yang <byang@debian.org>
+Maintainer: Maytham Alsudany <maytha8thedev@gmail.com>
Build-Depends: cmake, debhelper-compat (= 13)
Rules-Requires-Root: no
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/DaveGamble/cJSON
Vcs-Git: https://salsa.debian.org/debian/cjson.git
Vcs-Browser: https://salsa.debian.org/debian/cjson
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-03 06:56:58.000000000 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/libcjson1.symbols cjson-1.7.15/debian/libcjson1.symbols
--- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.000000000 +0300
+++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.000000000 +0300
@@ -1,4 +1,5 @@
libcjson.so.1 libcjson1 #MINVER#
+* Build-Depends-Package: libcjson-dev
cJSON_AddArrayToObject@Base 1.7.5
cJSON_AddBoolToObject@Base 1.7.5
cJSON_AddFalseToObject@Base 1.7.5
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03 06:51:36.000000000 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee <peterlee@apache.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany <maytha8thedev@gmail.com>
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++ {
++ return NULL;
++ }
++ /* return NULL if the object is corrupted */
++ if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+- if (which < 0)
++ if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++ if (after_inserted != array->child && newitem->prev == NULL) {
++ /* return false if after_inserted is a corrupted array item */
++ return false;
++ }
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++ cJSON *array = cJSON_CreateArray();
++ cJSON *item1 = cJSON_CreateString("item1");
++ cJSON *item2 = cJSON_CreateString("corrupted array item3");
++ cJSON *corruptedString = cJSON_CreateString("corrupted");
++ struct cJSON *originalPrev;
++
++ add_item_to_array(array, item1);
++ add_item_to_array(array, item2);
++
++ originalPrev = item2->prev;
++ item2->prev = NULL;
++ free(corruptedString->valuestring);
++ corruptedString->valuestring = NULL;
+
+ cJSON_InitHooks(NULL);
+ TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+ cJSON_DeleteItemFromObject(item, NULL);
+ cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+ cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@
+ TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+ TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+ TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+ cJSON_Minify(NULL);
+ /* skipped because it is only used via a macro that checks for NULL */
+ /* cJSON_SetNumberHelper(NULL, 0); */
+
++ /* restore corrupted item2 to delete it */
++ item2->prev = originalPrev;
++ cJSON_Delete(corruptedString);
++ cJSON_Delete(array);
+ cJSON_Delete(item);
+ }
+
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/series 2024-04-03 06:40:03.000000000 +0300
@@ -0,0 +1 @@
+0001-add-null-checkings.patch
Reply to: