Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1

To: Maytham Alsudany <maytha8thedev@gmail.com>, 1068633@bugs.debian.org
Subject: Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 8 Apr 2024 21:13:24 +0200
Message-id: <[🔎] ZhRB1O-TiqBY8CQl@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1068633@bugs.debian.org
In-reply-to: <[🔎] 171256847040.58766.16779486478433219096.reportbug@aezign2.aezign.net>
References: <[🔎] 171256847040.58766.16779486478433219096.reportbug@aezign2.aezign.net> <[🔎] 171256847040.58766.16779486478433219096.reportbug@aezign2.aezign.net>

Hi,

Disclaimer, this is not an authoritative answer as I'm not part of the
stable release managers.

On Mon, Apr 08, 2024 at 12:27:50PM +0300, Maytham Alsudany wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: cjson@packages.debian.org
> Control: affects -1 + src:cjson
> 
> [ Reason ]
> CVE-2023-50472, CVE-2023-50471
> 
> [ Impact ]
> Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
> 
> [ Tests ]
> Upstream's test continue to pass, and they have also added new tests to
> cover this security issue.
> 
> [ Risks ]
> Minimal, no change to API. Only minimal changes were made to fix this
> security issue.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> - Set myself as Maintainer (I am adopting the package, #1067510)
> - Bump Standards-Version to 4.6.2
> - Add Build-Depends-Package to symbools
> - Backport upstream's patch to 'add NULL checkings'.
>   Upstream adds a few more if statements to avoid the segmentation
>   fault, and thus resolve the security vulnerability.
> 
> [ Other info ]
> If you can spare the time, could you please upload this for me? (I need
> a sponsor, #1068624.) I'm also still waiting for someone to give me
> access to the Salsa repo.
> 
> Thanks,
> Maytham

> diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
> --- cjson-1.7.15/debian/changelog	2021-08-29 23:30:06.000000000 +0300
> +++ cjson-1.7.15/debian/changelog	2024-04-03 06:57:10.000000000 +0300
> @@ -1,3 +1,13 @@
> +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium

The target distribution should be simply bookworm.

> +
> +  * Update Maintainer field
> +  * Bump Standards-Version to 4.6.2 (no changes)

This is usually not allowed to do in a stable update.

> +  * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
> +    (Closes: #1059287)
> +  * Add Build-Depends-Package to symbols

While this might be sensible, I'm not sure if SRM will accept it.

So you might want to adjust already the things above and seek for an
ack from SRM.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
  - From: Maytham Alsudany <maytha8thedev@gmail.com>

References:
- Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
  - From: Maytham Alsudany <maytha8thedev@gmail.com>

Prev by Date: Bug#1068654: bookworm-pu: package bioawk/1.0-4+deb12u1
Next by Date: Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Previous by thread: Processed: bookworm-pu: package cjson/1.7.15-1+deb12u1
Next by thread: Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Index(es):
- Date
- Thread