diff --git a/2.2.tar.gz b/2.2.tar.gz deleted file mode 100644 index 98d914e959ad627e833935f2d7a76aa480238841..0000000000000000000000000000000000000000 Binary files a/2.2.tar.gz and /dev/null differ diff --git a/CVE-2023-1370.patch b/CVE-2023-1370.patch deleted file mode 100644 index c7892153f44f34ef5afbab9d7e81cd5f4a9162fd..0000000000000000000000000000000000000000 --- a/CVE-2023-1370.patch +++ /dev/null @@ -1,156 +0,0 @@ -From: UrielCh -Date: Sun, 5 Mar 2023 13:01:10 +0200 -Subject: CVE-2023-1370: stack overflow due to excessive recursion -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code -parses an array or an object respectively. It was discovered that the -code does not have any limit to the nesting of such arrays or -objects. Since the parsing of nested arrays and objects is done -recursively, nesting too many of them can cause a stack exhaustion -(stack overflow) and crash the software. - -origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch -bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/ -bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474 ---- - .../net/minidev/json/parser/JSONParserBase.java | 17 +++++++++++++- - .../net/minidev/json/parser/ParseException.java | 9 +++++++- - .../java/net/minidev/json/test/TestOverflow.java | 27 ++++++++++++++++++++++ - 3 files changed, 51 insertions(+), 2 deletions(-) - create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java - -diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -index 96d6bb6..f65b8c5 100644 ---- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java -@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN; - import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE; -+import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH; - - import java.io.IOException; - import java.math.BigDecimal; -@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI; - */ - abstract class JSONParserBase { - protected char c; -+ /** -+ * hard coded maximal depth for JSON parsing -+ */ -+ public final static int MAX_DEPTH = 400; -+ protected int depth = 0; -+ - JsonReader base; - public final static byte EOI = 0x1A; - protected static final char MAX_STOP = 126; // '}' -> 125 -@@ -232,9 +239,12 @@ abstract class JSONParserBase { - abstract protected void read() throws IOException; - - protected T readArray(JsonReaderI mapper) throws ParseException, IOException { -- Object current = mapper.createArray(); - if (c != '[') - throw new RuntimeException("Internal Error"); -+ if (++this.depth > MAX_DEPTH) { -+ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c); -+ } -+ Object current = mapper.createArray(); - read(); - boolean needData = false; - // -@@ -249,6 +259,7 @@ abstract class JSONParserBase { - case ']': - if (needData && !acceptUselessComma) - throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c); -+ this.depth--; - read(); /* unstack */ - // - return mapper.convert(current); -@@ -485,6 +496,9 @@ abstract class JSONParserBase { - // - if (c != '{') - throw new RuntimeException("Internal Error"); -+ if (++this.depth > MAX_DEPTH) { -+ throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c); -+ } - Object current = mapper.createObject(); - boolean needData = false; - boolean acceptData = true; -@@ -504,6 +518,7 @@ abstract class JSONParserBase { - case '}': - if (needData && !acceptUselessComma) - throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c); -+ this.depth--; - read(); /* unstack */ - // - return mapper.convert(current); -diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -index e652cf2..42f11f2 100644 ---- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -+++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java -@@ -1,7 +1,7 @@ - package net.minidev.json.parser; - - /* -- * Copyright 2011 JSON-SMART authors -+ * Copyright 2011-2023 JSON-SMART authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -30,6 +30,7 @@ public class ParseException extends Exception { - public static final int ERROR_UNEXPECTED_UNICODE = 4; - public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5; - public static final int ERROR_UNEXPECTED_LEADING_0 = 6; -+ public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7; - - private int errorType; - private Object unexpectedObject; -@@ -114,6 +115,12 @@ public class ParseException extends Exception { - sb.append(" at position "); - sb.append(position); - sb.append("."); -+ } else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) { -+ sb.append("Malicious payload, having non natural depths, parsing stoped on "); -+ sb.append(unexpectedObject); -+ sb.append(" at position "); -+ sb.append(position); -+ sb.append("."); - } else { - sb.append("Unkown error at position "); - sb.append(position); -diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java -new file mode 100644 -index 0000000..18b52e7 ---- /dev/null -+++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java -@@ -0,0 +1,27 @@ -+package net.minidev.json.test; -+ -+import junit.framework.TestCase; -+import net.minidev.json.JSONValue; -+import net.minidev.json.parser.ParseException; -+ -+public class TestOverflow extends TestCase { -+ public void testStress() throws Exception { -+ int size = 10000; -+ StringBuilder sb = new StringBuilder(10 + size*4); -+ for (int i=0; i < size; i++) { -+ sb.append("{a:"); -+ } -+ sb.append("true"); -+ for (int i=0; i < size; i++) { -+ sb.append("}"); -+ } -+ String s = sb.toString(); -+ try { -+ JSONValue.parseWithException(s); -+ } catch (ParseException e) { -+ assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH); -+ return; -+ } -+ assertEquals(0,1); -+ } -+} diff --git a/json-smart-v2-2.5.2.tar.gz b/json-smart-v2-2.5.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a82dca0066c4ed2643adee9598ab827b4cbd61fc Binary files /dev/null and b/json-smart-v2-2.5.2.tar.gz differ diff --git a/json-smart.spec b/json-smart.spec index 661cfc402e8dcb679e9aed3ed8ab2d0c4034b46c..157436eee9397b3701413432de73fcd0207fd777 100644 --- a/json-smart.spec +++ b/json-smart.spec @@ -1,13 +1,15 @@ Name: json-smart -Version: 2.2 -Release: 2 +Version: 2.5.2 +Release: 1 Summary: A small and very fast json parser/generator for java -License: ASL 2.0 +License: Apache-2.0 URL: https://github.com/netplex/json-smart-v2 -Source0: https://github.com/netplex/json-smart-v2/archive/%{version}.tar.gz -Patch0001: CVE-2023-1370.patch +Source0: https://github.com/netplex/%{name}-v2/archive/%{version}/%{name}-v2-%{version}.tar.gz +Source1: https://repo.maven.apache.org/maven2/net/minidev/minidev-parent/2.4.4/minidev-parent-2.4.4.pom BuildRequires: maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:) +BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin) +BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api) BuildArch: noarch %description Json-smart is a performance focused, JSON processor lib. @@ -19,25 +21,21 @@ This package contains javadoc for %{name}. %prep %autosetup -n %{name}-v2-%{version} -p1 -%pom_remove_dep :json-smart-mini parent -%pom_remove_plugin :maven-javadoc-plugin parent -%pom_remove_plugin :maven-source-plugin parent -%pom_xpath_set "pom:dependency[pom:artifactId='accessors-smart']/pom:version" '${project.version}' parent +cp %{SOURCE1} ./pom.xml +%pom_remove_dep :json-smart-mini +%pom_remove_plugin :maven-javadoc-plugin +%pom_remove_plugin :maven-source-plugin %pom_xpath_set "pom:Bundle-Version" "1.1" accessors-smart -%pom_xpath_remove "pom:Embed-Dependency" accessors-smart -%pom_xpath_remove "pom:Embed-Dependency" %{name} -%pom_xpath_inject "pom:dependency[pom:artifactId='accessors-smart']" "%{version}" %{name} -%pom_xpath_remove "pom:project/pom:version" accessors-smart -%pom_xpath_inject "pom:project" "%{version}" accessors-smart cp -p %{name}/*.txt . %mvn_file :%{name} %{name} %mvn_file :accessors-smart accessors-smart rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java %build -%mvn_build -- -f parent/pom.xml +%mvn_build -f %install + %mvn_install %files -f .mfiles @@ -48,6 +46,12 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java %license LICENSE.txt %changelog +* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 2.5.2-1 +- Update to 2.5.2 for fix CVE-2024-57699 + +* Sun Feb 04 2024 Ge Wang - 2.4.8-1 +- update to version 2.4.8 + * Tue Apr 04 2023 liyuxiang - 2.2-2 - fix CVE-2023-1370 diff --git a/minidev-parent-2.4.4.pom b/minidev-parent-2.4.4.pom new file mode 100644 index 0000000000000000000000000000000000000000..aa9c90b1a33e9495deed58e0ac480d1c2dc57fe8 --- /dev/null +++ b/minidev-parent-2.4.4.pom @@ -0,0 +1,271 @@ + + 4.0.0 + net.minidev + minidev-parent + 2.4.4 + Minidev super pom + minidev common properties. + pom + https://urielch.github.io/ + + + Chemouni Uriel + https://urielch.github.io/ + + + + + uriel + Uriel Chemouni + uchemouni@gmail.com + GMT+3 + + + + + + + + The Apache Software License, Version 2.0 + http://www.apache.org/licenses/LICENSE-2.0.txt + repo + All files under Apache 2 + + + + + UTF-8 + 1.8 + 1.8 + + + + + + org.apache.maven.plugins + maven-source-plugin + 3.2.1 + + + bind-sources + + jar-no-fork + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.8.1 + + UTF-8 + ${maven.compiler.source} + ${maven.compiler.target} + + + + + org.apache.maven.plugins + maven-resources-plugin + 3.2.0 + + UTF-8 + + + + + org.apache.maven.plugins + maven-jar-plugin + 3.2.0 + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 3.2.0 + + + false + + + + + attach-javadocs + + jar + + + + + + + + + scm:git:https://github.com/netplex/json-smart-v2.git + scm:git:https://github.com/netplex/json-smart-v2.git + https://github.com/netplex/json-smart-v2 + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + 3.1.2 + + google_checks.xml + + + + + + + accessors-smart + + json-smart + + + + + ossrh + https://oss.sonatype.org/content/repositories/snapshots + + + ossrh + https://oss.sonatype.org/service/local/staging/deploy/maven2/ + + + + + + release-sign-artifacts + + + + performRelease + true + + + + + + + + 53BE126D + + + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + 1.6 + + + sign-artifacts + verify + + sign + + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + attach-javadocs + + jar + + + + + + + org.apache.maven.plugins + maven-release-plugin + 3.0.0-M1 + + forked-path + -Psonatype-oss-release + false + false + release + deploy + + + + + + + include-sources + + + + / + true + src/main/java + + **/*.java + + + + + + + + + + net.minidev + json-smart + ${project.version} + + + net.minidev + json-smart-action + ${project.version} + + + net.minidev + json-smart-mini + ${project.version} + + + org.junit.jupiter + junit-jupiter-api + 5.7.1 + test + + + org.junit.jupiter + junit-jupiter-params + 5.7.1 + test + + + +