Bug#1074090: bullseye-pu: package cjson/1.7.14-1+deb11u1

[Maytham Alsudany <maytha8thedev@gmail.com>]

Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: cjson@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
CVE-2023-50472, CVE-2023-50471, CVE-2024-31755

[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).

[ Tests ]
Upstream's tests continue to pass, and they have also added new tests to cover
the first two CVEs.

[ Risks ]
Patches are minimal, no change to API.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Backport patch to add NULL checks to cJSON_SetValuestring and
    cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
    (Closes: #1059287, #1071742)

[ Other info ]
Security team have marked these security bugs as no-dsa.

-- 
Maytham Alsudany
Debian Maintainer

maytham @ OFTC
maytha8 @ Libera

diff -Nru cjson-1.7.14/debian/changelog cjson-1.7.14/debian/changelog
--- cjson-1.7.14/debian/changelog	2020-09-06 22:48:14.000000000 +0800
+++ cjson-1.7.14/debian/changelog	2024-06-23 15:27:49.000000000 +0800
@@ -1,3 +1,12 @@
+cjson (1.7.14-1+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport patch to add NULL checks to cJSON_SetValuestring and
+    cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
+    (Closes: #1059287, #1071742)
+
+ -- Maytham Alsudany <maytha8thedev@gmail.com>  Sun, 23 Jun 2024 15:27:49 +0800
+
 cjson (1.7.14-1) unstable; urgency=medium
 
   * New upstream release 1.7.14.
diff -Nru cjson-1.7.14/debian/gbp.conf cjson-1.7.14/debian/gbp.conf
--- cjson-1.7.14/debian/gbp.conf	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/gbp.conf	2024-06-23 14:56:13.000000000 +0800
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bullseye
diff -Nru cjson-1.7.14/debian/patches/0001-add-null-checkings.patch cjson-1.7.14/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.14/debian/patches/0001-add-null-checkings.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/0001-add-null-checkings.patch	2024-06-23 14:56:05.000000000 +0800
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee <peterlee@apache.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany <maytha8thedev@gmail.com>
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -397,7 +397,12 @@
+ {
+     char *copy = NULL;
+     /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    {
++        return NULL;
++    }
++    /* return NULL if the object is corrupted */
++    if (object->valuestring == NULL)
+     {
+         return NULL;
+     }
+@@ -2258,7 +2263,7 @@
+ {
+     cJSON *after_inserted = NULL;
+ 
+-    if (which < 0)
++    if (which < 0 || newitem == NULL)
+     {
+         return false;
+     }
+@@ -2269,6 +2274,11 @@
+         return add_item_to_array(array, newitem);
+     }
+ 
++    if (after_inserted != array->child && newitem->prev == NULL) {
++        /* return false if after_inserted is a corrupted array item */
++        return false;
++    }
++
+     newitem->next = after_inserted;
+     newitem->prev = after_inserted->prev;
+     after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+     char buffer[10];
+     cJSON *item = cJSON_CreateString("item");
++    cJSON *array = cJSON_CreateArray();
++    cJSON *item1 = cJSON_CreateString("item1");
++    cJSON *item2 = cJSON_CreateString("corrupted array item3");
++    cJSON *corruptedString = cJSON_CreateString("corrupted");
++    struct cJSON *originalPrev;
++
++    add_item_to_array(array, item1);
++    add_item_to_array(array, item2);
++
++    originalPrev = item2->prev;
++    item2->prev = NULL;
++    free(corruptedString->valuestring);
++    corruptedString->valuestring = NULL;
+ 
+     cJSON_InitHooks(NULL);
+     TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+     cJSON_DeleteItemFromObject(item, NULL);
+     cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+     cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+     TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@
+     TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+     TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+     cJSON_Minify(NULL);
+     /* skipped because it is only used via a macro that checks for NULL */
+     /* cJSON_SetNumberHelper(NULL, 0); */
+ 
++    /* restore corrupted item2 to delete it */
++    item2->prev = originalPrev;
++    cJSON_Delete(corruptedString);
++    cJSON_Delete(array);
+     cJSON_Delete(item);
+ }
+ 
diff -Nru cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch
--- cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	2024-06-23 14:56:05.000000000 +0800
@@ -0,0 +1,23 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+From: Up-wind <lj.upwind@gmail.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/839
+Bug-Debian: https://bugs.debian.org/1071742
+Acked-by: Maytham Alsudany <maytha8thedev@gmail.com>
+Subject: [PATCH] Add NULL check to cJSON_SetValuestring()
+ If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer
+ dereference will happen. This patch adds the NULL check of valuestring before
+ it is dereferenced.
+ .
+ Fix for CVE-2024-31755.
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -402,7 +402,7 @@
+         return NULL;
+     }
+     /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
diff -Nru cjson-1.7.14/debian/patches/series cjson-1.7.14/debian/patches/series
--- cjson-1.7.14/debian/patches/series	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.14/debian/patches/series	2024-06-23 14:53:00.000000000 +0800
@@ -0,0 +1,2 @@
+0001-add-null-checkings.patch
+0002-add-null-check-to-cjson-setvaluestring.patch

Attachment: signature.asc
Description: This is a digitally signed message part