[Git][java-team/json-smart][master] 4 commits: CVE-2023-1370

Bastien Roucariès (@rouca) gitlab at salsa.debian.org
Sat Apr 13 19:21:35 BST 2024



Bastien Roucariès pushed to branch master at Debian Java Maintainers / json-smart


Commits:
a99375b0 by Bastien Roucariès at 2024-04-13T18:07:03+00:00
CVE-2023-1370

- - - - -
9b0aed95 by Bastien Roucariès at 2024-04-13T18:08:47+00:00
New unstable version

- - - - -
dcfce22e by Bastien Roucariès at 2024-04-13T18:09:32+00:00
Add salsa-ci

- - - - -
3c2a2aa8 by Bastien Roucariès at 2024-04-13T18:14:18+00:00
Add closes bug

- - - - -


6 changed files:

- debian/changelog
- − debian/compat
- debian/control
- + debian/patches/0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
- debian/patches/series
- + debian/salsa-ci.yml


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+json-smart (2.2-3) unstable; urgency=medium
+
+  * Team upload
+  * Add watch file
+  * Fix CVE-2023-1370: When reaching a ‘[‘ or ‘{‘ character
+    in the JSON input, the code parses an array or
+    an object respectively. It was discovered that the
+    code does not have any limit to the nesting of such arrays
+    or objects. Since the parsing of nested arrays and objects is
+    done recursively, nesting too many of them can cause
+    a stack exhaustion (stack overflow) and crash the software.
+    (Closes: #1033474)
+  * Use compat level 13
+  * Bump policy to 4.7.7
+  * Add salsa-CI
+
+ -- Bastien Roucariès <rouca at debian.org>  Sat, 13 Apr 2024 14:43:01 +0000
+
 json-smart (2.2-2) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-10


=====================================
debian/control
=====================================
@@ -3,11 +3,11 @@ Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
 Uploaders: Emmanuel Bourg <ebourg at apache.org>
-Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
+Build-Depends: default-jdk, maven-debian-helper (>= 1.5), debhelper-compat (= 13)
 Build-Depends-Indep: libmaven-bundle-plugin-java, junit
-Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Standards-Version: 4.7.0
+Rules-Requires-Root: no
+Vcs-browser: https://salsa.debian.org/java-team/json-smart/
 Homepage: http://netplex.github.io/json-smart/
 
 Package: libjson-smart-java


=====================================
debian/patches/0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
=====================================
@@ -0,0 +1,156 @@
+From: UrielCh <uriel.chemouni at gmail.com>
+Date: Sun, 5 Mar 2023 13:01:10 +0200
+Subject: CVE-2023-1370: stack overflow due to excessive recursion
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software.
+
+origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
+---
+ .../net/minidev/json/parser/JSONParserBase.java    | 17 +++++++++++++-
+ .../net/minidev/json/parser/ParseException.java    |  9 +++++++-
+ .../java/net/minidev/json/test/TestOverflow.java   | 27 ++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+index 96d6bb6..f65b8c5 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
++import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
+ 
+ import java.io.IOException;
+ import java.math.BigDecimal;
+@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
+  */
+ abstract class JSONParserBase {
+ 	protected char c;
++   	/**
++	 * hard coded maximal depth for JSON parsing
++	 */
++	public final static int MAX_DEPTH = 400;
++	protected int depth = 0;
++
+ 	JsonReader base;
+ 	public final static byte EOI = 0x1A;
+ 	protected static final char MAX_STOP = 126; // '}' -> 125
+@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+ 	abstract protected void read() throws IOException;
+ 
+ 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
+-		Object current = mapper.createArray();
+ 		if (c != '[')
+ 			throw new RuntimeException("Internal Error");
++		if (++this.depth > MAX_DEPTH) {
++			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++		}
++		Object current = mapper.createArray();
+ 		read();
+ 		boolean needData = false;
+ 		//
+@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ 			case ']':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+ 		//
+ 		if (c != '{')
+ 			throw new RuntimeException("Internal Error");
++		if (++this.depth > MAX_DEPTH) {
++			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++		}
+ 		Object current = mapper.createObject();
+ 		boolean needData = false;
+ 		boolean acceptData = true;
+@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+ 			case '}':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+index e652cf2..42f11f2 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+@@ -1,7 +1,7 @@
+ package net.minidev.json.parser;
+ 
+ /*
+- *    Copyright 2011 JSON-SMART authors
++ *    Copyright 2011-2023 JSON-SMART authors
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -30,6 +30,7 @@ public class ParseException extends Exception {
+ 	public static final int ERROR_UNEXPECTED_UNICODE = 4;
+ 	public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
+ 	public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
++	public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
+ 
+ 	private int errorType;
+ 	private Object unexpectedObject;
+@@ -114,6 +115,12 @@ public class ParseException extends Exception {
+ 			sb.append(" at position ");
+ 			sb.append(position);
+ 			sb.append(".");
++		} else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
++			sb.append("Malicious payload, having non natural depths, parsing stoped on ");
++			sb.append(unexpectedObject);
++			sb.append(" at position ");
++			sb.append(position);
++			sb.append(".");
+ 		} else {
+ 			sb.append("Unkown error at position ");
+ 			sb.append(position);
+diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+new file mode 100644
+index 0000000..18b52e7
+--- /dev/null
++++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+@@ -0,0 +1,27 @@
++package net.minidev.json.test;
++
++import junit.framework.TestCase;
++import net.minidev.json.JSONValue;
++import net.minidev.json.parser.ParseException;
++
++public class TestOverflow extends TestCase {
++	public void testStress() throws Exception {
++		int size = 10000;
++		StringBuilder sb = new StringBuilder(10 + size*4);
++		for (int i=0; i < size; i++) {
++			sb.append("{a:");
++		}
++		sb.append("true");
++		for (int i=0; i < size; i++) {
++			sb.append("}");
++		}
++		String s = sb.toString();
++		try {
++			JSONValue.parseWithException(s);
++		} catch (ParseException e) {
++			assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
++			return;
++		}
++		assertEquals(0,1);
++	}
++}


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
 01-bundle-dependencies.patch
 02-ignore-failing-tests.patch
 maven-bundle-plugin-failok.patch
+0004-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch


=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,3 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml



View it on GitLab: https://salsa.debian.org/java-team/json-smart/-/compare/7c743ba15cdc3bf6b5ac6658cddf2aa89cfe65e3...3c2a2aa84b37bb9a13cdce8fa4ab21053508a489

-- 
View it on GitLab: https://salsa.debian.org/java-team/json-smart/-/compare/7c743ba15cdc3bf6b5ac6658cddf2aa89cfe65e3...3c2a2aa84b37bb9a13cdce8fa4ab21053508a489
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240413/f9d4ea71/attachment.htm>


More information about the pkg-java-commits mailing list