[Git][java-team/json-smart][master] 4 commits: CVE-2023-1370
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Sat Apr 13 19:21:35 BST 2024
Bastien Roucariès pushed to branch master at Debian Java Maintainers / json-smart
Commits:
a99375b0 by Bastien Roucariès at 2024-04-13T18:07:03+00:00
CVE-2023-1370
- - - - -
9b0aed95 by Bastien Roucariès at 2024-04-13T18:08:47+00:00
New unstable version
- - - - -
dcfce22e by Bastien Roucariès at 2024-04-13T18:09:32+00:00
Add salsa-ci
- - - - -
3c2a2aa8 by Bastien Roucariès at 2024-04-13T18:14:18+00:00
Add closes bug
- - - - -
6 changed files:
- debian/changelog
- − debian/compat
- debian/control
- + debian/patches/0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
- debian/patches/series
- + debian/salsa-ci.yml
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+json-smart (2.2-3) unstable; urgency=medium
+
+ * Team upload
+ * Add watch file
+ * Fix CVE-2023-1370: When reaching a ‘[‘ or ‘{‘ character
+ in the JSON input, the code parses an array or
+ an object respectively. It was discovered that the
+ code does not have any limit to the nesting of such arrays
+ or objects. Since the parsing of nested arrays and objects is
+ done recursively, nesting too many of them can cause
+ a stack exhaustion (stack overflow) and crash the software.
+ (Closes: #1033474)
+ * Use compat level 13
+ * Bump policy to 4.7.7
+ * Add salsa-CI
+
+ -- Bastien Roucariès <rouca at debian.org> Sat, 13 Apr 2024 14:43:01 +0000
+
json-smart (2.2-2) unstable; urgency=medium
* Team upload.
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-10
=====================================
debian/control
=====================================
@@ -3,11 +3,11 @@ Section: java
Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Uploaders: Emmanuel Bourg <ebourg at apache.org>
-Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
+Build-Depends: default-jdk, maven-debian-helper (>= 1.5), debhelper-compat (= 13)
Build-Depends-Indep: libmaven-bundle-plugin-java, junit
-Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Standards-Version: 4.7.0
+Rules-Requires-Root: no
+Vcs-browser: https://salsa.debian.org/java-team/json-smart/
Homepage: http://netplex.github.io/json-smart/
Package: libjson-smart-java
=====================================
debian/patches/0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
=====================================
@@ -0,0 +1,156 @@
+From: UrielCh <uriel.chemouni at gmail.com>
+Date: Sun, 5 Mar 2023 13:01:10 +0200
+Subject: CVE-2023-1370: stack overflow due to excessive recursion
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software.
+
+origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
+---
+ .../net/minidev/json/parser/JSONParserBase.java | 17 +++++++++++++-
+ .../net/minidev/json/parser/ParseException.java | 9 +++++++-
+ .../java/net/minidev/json/test/TestOverflow.java | 27 ++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+index 96d6bb6..f65b8c5 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
++import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
+
+ import java.io.IOException;
+ import java.math.BigDecimal;
+@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
+ */
+ abstract class JSONParserBase {
+ protected char c;
++ /**
++ * hard coded maximal depth for JSON parsing
++ */
++ public final static int MAX_DEPTH = 400;
++ protected int depth = 0;
++
+ JsonReader base;
+ public final static byte EOI = 0x1A;
+ protected static final char MAX_STOP = 126; // '}' -> 125
+@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+ abstract protected void read() throws IOException;
+
+ protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
+- Object current = mapper.createArray();
+ if (c != '[')
+ throw new RuntimeException("Internal Error");
++ if (++this.depth > MAX_DEPTH) {
++ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++ }
++ Object current = mapper.createArray();
+ read();
+ boolean needData = false;
+ //
+@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ case ']':
+ if (needData && !acceptUselessComma)
+ throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++ this.depth--;
+ read(); /* unstack */
+ //
+ return mapper.convert(current);
+@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+ //
+ if (c != '{')
+ throw new RuntimeException("Internal Error");
++ if (++this.depth > MAX_DEPTH) {
++ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++ }
+ Object current = mapper.createObject();
+ boolean needData = false;
+ boolean acceptData = true;
+@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+ case '}':
+ if (needData && !acceptUselessComma)
+ throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++ this.depth--;
+ read(); /* unstack */
+ //
+ return mapper.convert(current);
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+index e652cf2..42f11f2 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+@@ -1,7 +1,7 @@
+ package net.minidev.json.parser;
+
+ /*
+- * Copyright 2011 JSON-SMART authors
++ * Copyright 2011-2023 JSON-SMART authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+@@ -30,6 +30,7 @@ public class ParseException extends Exception {
+ public static final int ERROR_UNEXPECTED_UNICODE = 4;
+ public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
+ public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
++ public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
+
+ private int errorType;
+ private Object unexpectedObject;
+@@ -114,6 +115,12 @@ public class ParseException extends Exception {
+ sb.append(" at position ");
+ sb.append(position);
+ sb.append(".");
++ } else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
++ sb.append("Malicious payload, having non natural depths, parsing stoped on ");
++ sb.append(unexpectedObject);
++ sb.append(" at position ");
++ sb.append(position);
++ sb.append(".");
+ } else {
+ sb.append("Unkown error at position ");
+ sb.append(position);
+diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+new file mode 100644
+index 0000000..18b52e7
+--- /dev/null
++++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+@@ -0,0 +1,27 @@
++package net.minidev.json.test;
++
++import junit.framework.TestCase;
++import net.minidev.json.JSONValue;
++import net.minidev.json.parser.ParseException;
++
++public class TestOverflow extends TestCase {
++ public void testStress() throws Exception {
++ int size = 10000;
++ StringBuilder sb = new StringBuilder(10 + size*4);
++ for (int i=0; i < size; i++) {
++ sb.append("{a:");
++ }
++ sb.append("true");
++ for (int i=0; i < size; i++) {
++ sb.append("}");
++ }
++ String s = sb.toString();
++ try {
++ JSONValue.parseWithException(s);
++ } catch (ParseException e) {
++ assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
++ return;
++ }
++ assertEquals(0,1);
++ }
++}
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
01-bundle-dependencies.patch
02-ignore-failing-tests.patch
maven-bundle-plugin-failok.patch
+0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,3 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
View it on GitLab: https://salsa.debian.org/java-team/json-smart/-/compare/7c743ba15cdc3bf6b5ac6658cddf2aa89cfe65e3...3c2a2aa84b37bb9a13cdce8fa4ab21053508a489
--
View it on GitLab: https://salsa.debian.org/java-team/json-smart/-/compare/7c743ba15cdc3bf6b5ac6658cddf2aa89cfe65e3...3c2a2aa84b37bb9a13cdce8fa4ab21053508a489
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240413/f9d4ea71/attachment.htm>
More information about the pkg-java-commits
mailing list