Hi Salvatore, On Mon, 2024-04-08 at 21:13 +0200, Salvatore Bonaccorso wrote: > > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog > > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 > > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300 > > @@ -1,3 +1,13 @@ > > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium > > The target distribution should be simply bookworm.
I had already changed that but forgot to update the debdiff :) > > + > > + * Update Maintainer field > > + * Bump Standards-Version to 4.6.2 (no changes) > > This is usually not allowed to do in a stable update. > > > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) > > + (Closes: #1059287) > > + * Add Build-Depends-Package to symbols > > While this might be sensible, I'm not sure if SRM will accept it. > > So you might want to adjust already the things above and seek for an > ack from SRM. Thank you for your feedback, attached is a revised debdiff. Kind regards, Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 +++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.000000000 +0300 @@ -1,3 +1,11 @@ +cjson (1.7.15-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) + (Closes: #1059287) + + -- Maytham Alsudany <maytha8the...@gmail.com> Tue, 09 Apr 2024 04:30:29 +0300 + cjson (1.7.15-1) unstable; urgency=medium * New upstream release 1.7.15. diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf --- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bookworm diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch --- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1,101 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 +From: Peter Alfred Lee <peter...@apache.com> +Bug: https://github.com/DaveGamble/cJSON/issues/803 +Bug: https://github.com/DaveGamble/cJSON/issues/802 +Bug-Debian: https://bugs.debian.org/1059287 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] add NULL checkings (#809) + * add NULL checks in cJSON_SetValuestring + Fixes #803(CVE-2023-50472) + . + * add NULL check in cJSON_InsertItemInArray + Fixes #802(CVE-2023-50471) + . + * add tests for NULL checks + add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring + +--- a/cJSON.c ++++ b/cJSON.c +@@ -401,7 +401,12 @@ + { + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ +- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) ++ { ++ return NULL; ++ } ++ /* return NULL if the object is corrupted */ ++ if (object->valuestring == NULL) + { + return NULL; + } +@@ -2260,7 +2265,7 @@ + { + cJSON *after_inserted = NULL; + +- if (which < 0) ++ if (which < 0 || newitem == NULL) + { + return false; + } +@@ -2271,6 +2276,11 @@ + return add_item_to_array(array, newitem); + } + ++ if (after_inserted != array->child && newitem->prev == NULL) { ++ /* return false if after_inserted is a corrupted array item */ ++ return false; ++ } ++ + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -353,6 +353,19 @@ + { + char buffer[10]; + cJSON *item = cJSON_CreateString("item"); ++ cJSON *array = cJSON_CreateArray(); ++ cJSON *item1 = cJSON_CreateString("item1"); ++ cJSON *item2 = cJSON_CreateString("corrupted array item3"); ++ cJSON *corruptedString = cJSON_CreateString("corrupted"); ++ struct cJSON *originalPrev; ++ ++ add_item_to_array(array, item1); ++ add_item_to_array(array, item2); ++ ++ originalPrev = item2->prev; ++ item2->prev = NULL; ++ free(corruptedString->valuestring); ++ corruptedString->valuestring = NULL; + + cJSON_InitHooks(NULL); + TEST_ASSERT_NULL(cJSON_Parse(NULL)); +@@ -412,6 +425,8 @@ + cJSON_DeleteItemFromObject(item, NULL); + cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item"); + cJSON_DeleteItemFromObjectCaseSensitive(item, NULL); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL)); ++ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL)); + TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item)); +@@ -428,10 +443,16 @@ + TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true)); + TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false)); + TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); + cJSON_Minify(NULL); + /* skipped because it is only used via a macro that checks for NULL */ + /* cJSON_SetNumberHelper(NULL, 0); */ + ++ /* restore corrupted item2 to delete it */ ++ item2->prev = originalPrev; ++ cJSON_Delete(corruptedString); ++ cJSON_Delete(array); + cJSON_Delete(item); + } + diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series --- cjson-1.7.15/debian/patches/series 1970-01-01 03:00:00.000000000 +0300 +++ cjson-1.7.15/debian/patches/series 2024-04-09 04:29:47.000000000 +0300 @@ -0,0 +1 @@ +0001-add-null-checkings.patch
signature.asc
Description: This is a digitally signed message part
