Bug#1074088: marked as done (bookworm-pu: package cjson/1.7.15-1+deb12u2)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1074088: marked as done (bookworm-pu: package cjson/1.7.15-1+deb12u2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 09 Nov 2024 10:54:02 +0000
Message-id: <[🔎] handler.1074088.D1074088.17311494771069134.ackdone@bugs.debian.org>
Reply-to: 1074088@bugs.debian.org
References: <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk> <526942409bc780f5a9bed56fb34c505b4b69e441.camel@gmail.com>

Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1074088,
regarding bookworm-pu: package cjson/1.7.15-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1074088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074088
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: bookworm-pu: package cjson/1.7.15-1+deb12u2
From: Maytham Alsudany <maytha8thedev@gmail.com>
Date: Sun, 23 Jun 2024 14:47:03 +0800
Message-id: <526942409bc780f5a9bed56fb34c505b4b69e441.camel@gmail.com>

Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: cjson@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
CVE-2024-31755

[ Impact ]
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).

[ Tests ]
Upstream's tests continue to pass, no new tests were added since this is
a trivial change.

[ Risks ]
Minimal risk as the patch is trivial and only changes 1 line to fix this
security issue.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
    (Closes: #1071742)

[ Other info ]
Security team have marked it no-dsa.

-- 
Maytham Alsudany
Debian Maintainer

maytham @ OFTC
maytha8 @ Libera

diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog	2024-04-09 09:30:29.000000000 +0800
+++ cjson-1.7.15/debian/changelog	2024-06-23 14:27:41.000000000 +0800
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
+    (Closes: #1071742)
+
+ -- Maytham Alsudany <maytha8thedev@gmail.com>  Sun, 23 Jun 2024 14:27:41 +0800
+
 cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch
--- cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	1970-01-01 08:00:00.000000000 +0800
+++ cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch	2024-06-23 14:27:41.000000000 +0800
@@ -0,0 +1,23 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+From: Up-wind <lj.upwind@gmail.com>
+Bug: https://github.com/DaveGamble/cJSON/issues/839
+Bug-Debian: https://bugs.debian.org/1071742
+Acked-by: Maytham Alsudany <maytha8thedev@gmail.com>
+Subject: [PATCH] Add NULL check to cJSON_SetValuestring()
+ If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer
+ dereference will happen. This patch adds the NULL check of valuestring before
+ it is dereferenced.
+ .
+ Fix for CVE-2024-31755.
+
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -406,7 +406,7 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+         return NULL;
+     }
+     /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series	2024-04-09 09:29:47.000000000 +0800
+++ cjson-1.7.15/debian/patches/series	2024-06-23 14:27:41.000000000 +0800
@@ -1 +1,2 @@
 0001-add-null-checkings.patch
+0002-add-null-check-to-cjson-setvaluestring.patch

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

To: 1074088-done@bugs.debian.org, 1074126-done@bugs.debian.org, 1076473-done@bugs.debian.org, 1077668-done@bugs.debian.org, 1079689-done@bugs.debian.org, 1079733-done@bugs.debian.org, 1080363-done@bugs.debian.org, 1080402-done@bugs.debian.org, 1080968-done@bugs.debian.org, 1081034-done@bugs.debian.org, 1081035-done@bugs.debian.org, 1081169-done@bugs.debian.org, 1081317-done@bugs.debian.org, 1081343-done@bugs.debian.org, 1081388-done@bugs.debian.org, 1081389-done@bugs.debian.org, 1081394-done@bugs.debian.org, 1081399-done@bugs.debian.org, 1081410-done@bugs.debian.org, 1081413-done@bugs.debian.org, 1081418-done@bugs.debian.org, 1081750-done@bugs.debian.org, 1082024-done@bugs.debian.org, 1082153-done@bugs.debian.org, 1082155-done@bugs.debian.org, 1082322-done@bugs.debian.org, 1082701-done@bugs.debian.org, 1082710-done@bugs.debian.org, 1082746-done@bugs.debian.org, 1082783-done@bugs.debian.org, 1082902-done@bugs.debian.org, 1082935-done@bugs.debian.org, 1083026-done@bugs.debian.org, 1083090-done@bugs.debian.org, 1083162-done@bugs.debian.org, 1083223-done@bugs.debian.org, 1084171-done@bugs.debian.org, 1084845-done@bugs.debian.org, 1084907-done@bugs.debian.org, 1085026-done@bugs.debian.org, 1085176-done@bugs.debian.org, 1085227-done@bugs.debian.org, 1085281-done@bugs.debian.org, 1085430-done@bugs.debian.org, 1085591-done@bugs.debian.org, 1085708-done@bugs.debian.org, 1085711-done@bugs.debian.org, 1085965-done@bugs.debian.org, 1086116-done@bugs.debian.org, 1086149-done@bugs.debian.org, 1086151-done@bugs.debian.org, 1086154-done@bugs.debian.org, 1086157-done@bugs.debian.org, 1086163-done@bugs.debian.org, 1086164-done@bugs.debian.org, 1086193-done@bugs.debian.org, 1086207-done@bugs.debian.org, 1086601-done@bugs.debian.org, 1086611-done@bugs.debian.org, 1086613-done@bugs.debian.org, 1086632-done@bugs.debian.org, 1081535-done@bugs.debian.org

Subject: Closing bugs released with 12.8

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 09 Nov 2024 10:51:02 +0000

Message-id: <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
Source: release.debian.org
Version: 12.8

Hi,

Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1
Next by Date: Bug#1074126: marked as done (bookworm-pu: ntfs-3g/1:2022.10.3-1+deb12u1)
Previous by thread: Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1
Next by thread: Bug#1074126: marked as done (bookworm-pu: ntfs-3g/1:2022.10.3-1+deb12u1)
Index(es):
- Date
- Thread