[Git][java-team/libjettison-java][master] 3 commits: New upstream version 1.5.4

Tony Mancill (@tmancill) gitlab at salsa.debian.org
Sun Jun 11 23:58:48 BST 2023 


Tony Mancill pushed to branch master at Debian Java Maintainers / libjettison-java


Commits:
798881a2 by tony mancill at 2023-06-11T15:35:52-07:00
New upstream version 1.5.4
- - - - -
ce88e4f9 by tony mancill at 2023-06-11T15:35:52-07:00
Update upstream source from tag 'upstream/1.5.4'

Update to upstream version '1.5.4'
with Debian dir bb558fd56d5a435bfc5cca60c06aab9588271e0f
- - - - -
339efba6 by tony mancill at 2023-06-11T15:41:53-07:00
Prepare changelog for upload to unstable

- - - - -


4 changed files:

- debian/changelog
- pom.xml
- src/main/java/org/codehaus/jettison/json/JSONArray.java
- src/test/java/org/codehaus/jettison/json/JSONArrayTest.java


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+libjettison-java (1.5.4-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream version 1.5.4 (Closes: #1033846)
+    - Fix CVE-2023-1436 - Infinite recursion in Jettison leads
+      to denial of service when creating a crafted JSONArray
+
+ -- tony mancill <tmancill at debian.org>  Sun, 11 Jun 2023 15:38:24 -0700
+
 libjettison-java (1.5.3-1) unstable; urgency=high
 
   * Team upload.


=====================================
pom.xml
=====================================
@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.codehaus.jettison</groupId>
   <artifactId>jettison</artifactId>
-  <version>1.5.3</version>
+  <version>1.5.4</version>
   <packaging>bundle</packaging>
   <name>Jettison</name>
   <description>A StAX implementation for JSON.</description>
@@ -31,7 +31,7 @@
     <connection>scm:git:http://github.com/jettison-json/jettison.git</connection>
     <developerConnection>scm:git:https://github.com/jettison-json/jettison.git</developerConnection>
     <url>https://github.com/jettison-json/jettison</url>
-    <tag>jettison-1.5.3</tag>
+    <tag>jettison-1.5.4</tag>
   </scm>
   <distributionManagement>
       <snapshotRepository>


=====================================
src/main/java/org/codehaus/jettison/json/JSONArray.java
=====================================
@@ -182,22 +182,30 @@ public class JSONArray implements Serializable {
      * @throws JSONException If there is a syntax error.
      */
     public JSONArray(Collection collection) throws JSONException {
+        this(collection, 0);
+    }
+
+    private JSONArray(Collection collection, int recursionDepth) throws JSONException {
+        if (recursionDepth > JSONObject.getGlobalRecursionDepthLimit()) {
+            throw new JSONException("JSONArray has reached recursion depth limit of "
+                    + JSONObject.getGlobalRecursionDepthLimit());
+        }
+
         this.myArrayList = (collection == null) ?
                 new ArrayList() :
                 new ArrayList(collection);
         // ensure a pure hierarchy of JSONObjects and JSONArrays
         for (ListIterator iter = myArrayList.listIterator(); iter.hasNext();) {
-             Object e = iter.next();
-             if (e instanceof Collection) {
-                 iter.set(new JSONArray((Collection) e));
-             }
-             if (e instanceof Map) {
-                 iter.set(new JSONObject((Map) e));
-             }
-        }        
+            Object e = iter.next();
+            if (e instanceof Collection) {
+                iter.set(new JSONArray((Collection) e, recursionDepth + 1));
+            }
+            if (e instanceof Map) {
+                iter.set(new JSONObject((Map) e));
+            }
+        }
     }
 
-
     /**
      * Get the object value associated with an index.
      * @param index


=====================================
src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
=====================================
@@ -2,6 +2,9 @@ package org.codehaus.jettison.json;
 
 import junit.framework.TestCase;
 
+import java.util.ArrayList;
+import java.util.List;
+
 public class JSONArrayTest extends TestCase {
     public void testInvalidArraySequence() throws Exception {
     	try {
@@ -67,6 +70,18 @@ public class JSONArrayTest extends TestCase {
     public void testIssue52() throws JSONException {
         JSONObject.setGlobalRecursionDepthLimit(10);
         new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]");
+        JSONObject.setGlobalRecursionDepthLimit(500);
+    }
+
+    // https://github.com/jettison-json/jettison/issues/60
+    public void testIssue60() throws JSONException {
+        List<Object> list = new ArrayList<>();
+        list.add(list);
+        try {
+            new JSONArray(list);
+        } catch (JSONException ex) {
+            assertEquals(ex.getMessage(), "JSONArray has reached recursion depth limit of 500");
+        }
     }
 
 }



View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/compare/c9fa5e7fc6284235c6108a43efb5e4d2b133c697...339efba6e4679cd5e94270fcb0add8b533217cb4

-- 
View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/compare/c9fa5e7fc6284235c6108a43efb5e4d2b133c697...339efba6e4679cd5e94270fcb0add8b533217cb4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230611/eca8eb69/attachment.htm>

More information about the pkg-java-commits mailing list