Hi Salvatore, On Mon, 2024-04-08 at 21:13 +0200, Salvatore Bonaccorso wrote: > > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog > > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 > > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300 > > @@ -1,3 +1,13 @@ > > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium > > The target distribution should be simply bookworm. I had already changed that but forgot to update the debdiff :) > > + > > + * Update Maintainer field > > + * Bump Standards-Version to 4.6.2 (no changes) > > This is usually not allowed to do in a stable update. > > > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) > > + (Closes: #1059287) > > + * Add Build-Depends-Package to symbols > > While this might be sensible, I'm not sure if SRM will accept it. > > So you might want to adjust already the things above and seek for an > ack from SRM. Thank you for your feedback, attached is a revised debdiff. Kind regards, Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.000000000 +0300
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+ (Closes: #1059287)
+
+ -- Maytham Alsudany <maytha8thedev@gmail.com> Tue, 09 Apr 2024 04:30:29 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.000000000 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.000000000 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee <peterlee@apache.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany <maytha8thedev@gmail.com>
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++ {
++ return NULL;
++ }
++ /* return NULL if the object is corrupted */
++ if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+- if (which < 0)
++ if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++ if (after_inserted != array->child && newitem->prev == NULL) {
++ /* return false if after_inserted is a corrupted array item */
++ return false;
++ }
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++ cJSON *array = cJSON_CreateArray();
++ cJSON *item1 = cJSON_CreateString("item1");
++ cJSON *item2 = cJSON_CreateString("corrupted array item3");
++ cJSON *corruptedString = cJSON_CreateString("corrupted");
++ struct cJSON *originalPrev;
++
++ add_item_to_array(array, item1);
++ add_item_to_array(array, item2);
++
++ originalPrev = item2->prev;
++ item2->prev = NULL;
++ free(corruptedString->valuestring);
++ corruptedString->valuestring = NULL;
+
+ cJSON_InitHooks(NULL);
+ TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+ cJSON_DeleteItemFromObject(item, NULL);
+ cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+ cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@
+ TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+ TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+ TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+ cJSON_Minify(NULL);
+ /* skipped because it is only used via a macro that checks for NULL */
+ /* cJSON_SetNumberHelper(NULL, 0); */
+
++ /* restore corrupted item2 to delete it */
++ item2->prev = originalPrev;
++ cJSON_Delete(corruptedString);
++ cJSON_Delete(array);
+ cJSON_Delete(item);
+ }
+
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300
+++ cjson-1.7.15/debian/patches/series 2024-04-09 04:29:47.000000000 +0300
@@ -0,0 +1 @@
+0001-add-null-checkings.patch
Attachment:
signature.asc
Description: This is a digitally signed message part