diff --git a/CVE-2023-1370.patch b/CVE-2023-1370.patch deleted file mode 100644 index fd326ac5c58379e43510783a573621ea4d22a0ef..0000000000000000000000000000000000000000 --- a/CVE-2023-1370.patch +++ /dev/null @@ -1,161 +0,0 @@ -From: UrielCh -Date: Sun, 5 Mar 2023 13:01:10 +0200 -Subject: CVE-2023-1370: stack overflow due to excessive recursion -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code -parses an array or an object respectively. It was discovered that the -code does not have any limit to the nesting of such arrays or -objects. Since the parsing of nested arrays and objects is done -recursively, nesting too many of them can cause a stack exhaustion -(stack overflow) and crash the software. - -origin: -https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch -bug: -https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/ -bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474 ---- - .../minidev/json/parser/JSONParserBase.java | 17 +++++++++++- - .../minidev/json/parser/ParseException.java | 9 ++++++- - .../net/minidev/json/test/TestOverflow.java | 27 +++++++++++++++++++ - 3 files changed, 51 insertions(+), 2 deletions(-) - create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java - -diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -index 5a0e67f..06f45a3 100644 ---- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE; -+import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH; - - import java.io.IOException; - import java.math.BigDecimal; -@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI; - */ - abstract class JSONParserBase { - protected char c; -+ /** -+ * hard coded maximal depth for JSON parsing -+ */ -+ public final static int MAX_DEPTH = 400; -+ protected int depth = 0; -+ - JsonReader base; - public final static byte EOI = 0x1A; - protected static final char MAX_STOP = 126; // '}' -> 125 -@@ -284,9 +291,12 @@ abstract class JSONParserBase { - abstract protected void read() throws IOException; - - protected T readArray(JsonReaderI mapper) throws ParseException, IOException { -- Object current = mapper.createArray(); - if (c != '[') - throw new RuntimeException("Internal Error"); -+ if (++this.depth > MAX_DEPTH) { -+ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c); -+ } -+ Object current = mapper.createArray(); - read(); - boolean needData = false; - // special case needData is false and can close is true -@@ -303,6 +313,7 @@ abstract class JSONParserBase { - case ']': - if (needData && !acceptUselessComma) - throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c); -+ this.depth--; - read(); /* unstack */ - // - return mapper.convert(current); -@@ -539,6 +550,9 @@ abstract class JSONParserBase { - // - if (c != '{') - throw new RuntimeException("Internal Error"); -+ if (++this.depth > MAX_DEPTH) { -+ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c); -+ } - Object current = mapper.createObject(); - boolean needData = false; - boolean acceptData = true; -@@ -558,6 +572,7 @@ abstract class JSONParserBase { - case '}': - if (needData && !acceptUselessComma) - throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c); -+ this.depth--; - read(); /* unstack */ - // - return mapper.convert(current); -diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -index e9332d9..5f81021 100644 ---- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -+++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -@@ -1,7 +1,7 @@ - package net.minidev.json.parser; - - /* -- * Copyright 2011 JSON-SMART authors -+ * Copyright 2011-2023 JSON-SMART authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -30,6 +30,7 @@ public class ParseException extends Exception { - public static final int ERROR_UNEXPECTED_UNICODE = 4; - public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5; - public static final int ERROR_UNEXPECTED_LEADING_0 = 6; -+ public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7; - - private int errorType; - private Object unexpectedObject; -@@ -114,6 +115,12 @@ public class ParseException extends Exception { - sb.append(" at position "); - sb.append(position); - sb.append("."); -+ } else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) { -+ sb.append("Malicious payload, having non natural depths, parsing stoped on "); -+ sb.append(unexpectedObject); -+ sb.append(" at position "); -+ sb.append(position); -+ sb.append("."); - } else { - sb.append("Unkown error at position "); - sb.append(position); -diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java -new file mode 100644 -index 0000000..18b52e7 ---- /dev/null -+++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java -@@ -0,0 +1,27 @@ -+package net.minidev.json.test; -+ -+import junit.framework.TestCase; -+import net.minidev.json.JSONValue; -+import net.minidev.json.parser.ParseException; -+ -+public class TestOverflow extends TestCase { -+ public void testStress() throws Exception { -+ int size = 10000; -+ StringBuilder sb = new StringBuilder(10 + size*4); -+ for (int i=0; i < size; i++) { -+ sb.append("{a:"); -+ } -+ sb.append("true"); -+ for (int i=0; i < size; i++) { -+ sb.append("}"); -+ } -+ String s = sb.toString(); -+ try { -+ JSONValue.parseWithException(s); -+ } catch (ParseException e) { -+ assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH); -+ return; -+ } -+ assertEquals(0,1); -+ } -+} --- -2.33.0 - diff --git a/json-smart-v2-2.4.8.tar.gz b/json-smart-v2-2.4.8.tar.gz deleted file mode 100644 index 50fc5bbf962d4a6d2ea511d2f0c7f673c95bc5ae..0000000000000000000000000000000000000000 Binary files a/json-smart-v2-2.4.8.tar.gz and /dev/null differ diff --git a/json-smart-v2-2.5.2.tar.gz b/json-smart-v2-2.5.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a82dca0066c4ed2643adee9598ab827b4cbd61fc Binary files /dev/null and b/json-smart-v2-2.5.2.tar.gz differ diff --git a/json-smart.spec b/json-smart.spec index f7088e3c849b3fbf450eab631d3c68c6f2d723a6..157436eee9397b3701413432de73fcd0207fd777 100644 --- a/json-smart.spec +++ b/json-smart.spec @@ -1,12 +1,11 @@ Name: json-smart -Version: 2.4.8 +Version: 2.5.2 Release: 1 Summary: A small and very fast json parser/generator for java -License: ASL 2.0 +License: Apache-2.0 URL: https://github.com/netplex/json-smart-v2 -Source0: https://github.com/netplex/%{name}-v2/archive/2.4.8/%{name}-v2-%{version}.tar.gz +Source0: https://github.com/netplex/%{name}-v2/archive/%{version}/%{name}-v2-%{version}.tar.gz Source1: https://repo.maven.apache.org/maven2/net/minidev/minidev-parent/2.4.4/minidev-parent-2.4.4.pom -Patch0001: CVE-2023-1370.patch BuildRequires: maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:) BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin) @@ -47,6 +46,9 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java %license LICENSE.txt %changelog +* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 2.5.2-1 +- Update to 2.5.2 for fix CVE-2024-57699 + * Sun Feb 04 2024 Ge Wang - 2.4.8-1 - update to version 2.4.8