Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cj...@packages.debian.org
Control: affects -1 + src:cjson
[ Reason ]
CVE-2023-50472, CVE-2023-50471
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
[ Tests ]
Upstream's test continue to pass, and they have also added new tests to
cover this security issue.
[ Risks ]
Minimal, no change to API. Only minimal changes were made to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Set myself as Maintainer (I am adopting the package, #1067510)
- Bump Standards-Version to 4.6.2
- Add Build-Depends-Package to symbools
- Backport upstream's patch to 'add NULL checkings'.
Upstream adds a few more if statements to avoid the segmentation
fault, and thus resolve the security vulnerability.
[ Other info ]
If you can spare the time, could you please upload this for me? (I need
a sponsor, #1068624.) I'm also still waiting for someone to give me
access to the Salsa repo.
Thanks,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300
@@ -1,3 +1,13 @@
+cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
+
+ * Update Maintainer field
+ * Bump Standards-Version to 4.6.2 (no changes)
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+ * Add Build-Depends-Package to symbols
+
+ -- Maytham Alsudany Wed, 03 Apr 2024 06:57:10 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control
--- cjson-1.7.15/debian/control 2021-08-29 23:29:57.0 +0300
+++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.0 +0300
@@ -1,10 +1,10 @@
Source: cjson
Section: libs
Priority: optional
-Maintainer: Boyuan Yang
+Maintainer: Maytham Alsudany
Build-Depends: cmake, debhelper-compat (= 13)
Rules-Requires-Root: no
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/DaveGamble/cJSON
Vcs-Git: https://salsa.debian.org/debian/cjson.git
Vcs-Browser: https://salsa.debian.org/debian/cjson
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf2024-04-03 06:56:58.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/libcjson1.symbols
cjson-1.7.15/debian/libcjson1.symbols
--- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.0
+0300
+++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.0
+0300
@@ -1,4 +1,5 @@
libcjson.so.1 libcjson1 #MINVER#
+* Build-Depends-Package: libcjson-dev
cJSON_AddArrayToObject@Base 1.7.5
cJSON_AddBoolToObject@Base 1.7.5
cJSON_AddFalseToObject@Base 1.7.5
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01
03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03
06:51:36.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport,
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it
should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type &
cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
