diff -Nru json-c4-0.13.1+dfsg/debian/changelog json-c4-0.13.1+dfsg/debian/changelog --- json-c4-0.13.1+dfsg/debian/changelog 2020-05-18 00:58:26.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/changelog 2020-05-30 02:23:39.000000000 +0000 @@ -1,11 +1,23 @@ -json-c4 (0.13.1+dfsg-7ubuntu0.2~16.04.sav0) xenial; urgency=medium +json-c4 (0.13.1+dfsg-7ubuntu0.3~16.04.sav0) xenial; urgency=medium - * Backport to Xenial + * Backport to Bionic * Change source package name to json-c4 to allow PPA co-existence with json-c backport (and libjson-c3 package) from Bionic + + Add Conflicts/Replaces libjson-c3-{dev,doc} to respective packages * debian/control: Set debhelper-compat (= 10) BD (LP highest for Xenial) - -- Rob Savoury Sun, 17 May 2020 17:58:26 -0700 + -- Rob Savoury Fri, 29 May 2020 19:23:39 -0700 + +json-c (0.13.1+dfsg-7ubuntu0.3) focal-security; urgency=medium + + * SECURITY UPDATE: Integer overflows + - debian/patches/CVE-2020-12762-*.patch: fix a series of + integer overflows adding checks in linkhash.c, printbuf.c, test4.c + test4.expected, also adds the fix for the INT_MAX regression caused in update + 0.11-4ubuntu2.1. + - CVE-2020-12762 + + -- Leonidas S. Barbosa Mon, 25 May 2020 14:59:26 -0300 json-c (0.13.1+dfsg-7ubuntu0.2) focal-security; urgency=medium diff -Nru json-c4-0.13.1+dfsg/debian/control json-c4-0.13.1+dfsg/debian/control --- json-c4-0.13.1+dfsg/debian/control 2020-05-18 00:58:26.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/control 2020-05-30 02:21:50.000000000 +0000 @@ -1,6 +1,7 @@ Source: json-c4 Priority: optional -Maintainer: Debian QA Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian QA Group Build-Depends: debhelper-compat (= 10), doxygen, dh-exec @@ -27,6 +28,8 @@ Multi-Arch: same Depends: libjson-c4 (= ${binary:Version}), ${misc:Depends} +Conflicts: libjson-c3-dev +Replaces: libjson-c3-dev Description: JSON manipulation library - development files This library allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted @@ -41,6 +44,8 @@ Multi-Arch: foreign Depends: libjs-jquery, ${misc:Depends} +Conflicts: libjson-c3-doc +Replaces: libjson-c3-doc Description: JSON manipulation library - documentation files This library allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted diff -Nru json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-1.patch json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-1.patch --- json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-1.patch 2020-05-25 17:59:10.000000000 +0000 @@ -0,0 +1,29 @@ +From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Mon, 4 May 2020 19:41:16 +0200 +Subject: [PATCH] Protect array_list_del_idx against size_t overflow. + +If the assignment of stop overflows due to idx and count being +larger than SIZE_T_MAX in sum, out of boundary access could happen. + +It takes invalid usage of this function for this to happen, but +I decided to add this check so array_list_del_idx is as safe against +bad usage as the other arraylist functions. +--- + arraylist.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: json-c-0.13.1+dfsg/arraylist.c +=================================================================== +--- json-c-0.13.1+dfsg.orig/arraylist.c ++++ json-c-0.13.1+dfsg/arraylist.c +@@ -135,6 +135,9 @@ array_list_del_idx( struct array_list *a + { + size_t i, stop; + ++ /* Avoid overflow in calculation with large indices. */ ++ if (idx > SIZE_T_MAX - count) ++ return -1; + stop = idx + count; + if ( idx >= arr->length || stop > arr->length ) return -1; + for ( i = idx; i < stop; ++i ) { diff -Nru json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-2.patch json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-2.patch --- json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-2.patch 2020-05-25 17:59:14.000000000 +0000 @@ -0,0 +1,32 @@ +Backported of: + +From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Mon, 4 May 2020 19:46:45 +0200 +Subject: [PATCH] Prevent division by zero in linkhash. + +If a linkhash with a size of zero is created, then modulo operations +are prone to division by zero operations. + +Purely protective measure against bad usage. +diff --git a/linkhash.c b/linkhash.c +index 5497061..c48c8d6 100644 +--- a/linkhash.c ++++ b/linkhash.c +@@ -12,6 +12,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -498,6 +499,8 @@ struct lh_table* lh_table_new(int size, + int i; + struct lh_table *t; + ++ /* Allocate space for elements to avoid divisions by zero. */ ++ assert(size > 0); + t = (struct lh_table*)calloc(1, sizeof(struct lh_table)); + if (!t) + return NULL; diff -Nru json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-3.patch json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-3.patch --- json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/patches/CVE-2020-12762-3.patch 2020-05-25 17:59:19.000000000 +0000 @@ -0,0 +1,155 @@ +Combined patches: + +CAUSED REGRESSION +From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Mon, 4 May 2020 19:47:25 +0200 +Subject: [PATCH] Fix integer overflows. + +The data structures linkhash and printbuf are limited to 2 GB in size +due to a signed integer being used to track their current size. + +If too much data is added, then size variable can overflow, which is +an undefined behaviour in C programming language. + +Assuming that a signed int overflow just leads to a negative value, +like it happens on many sytems (Linux i686/amd64 with gcc), then +printbuf is vulnerable to an out of boundary write on 64 bit systems. + +FIX REGRESSION +From 7a4807fe0cdb1d9e20273c79762cbf54833aaae4 Mon Sep 17 00:00:00 2001 +From: Eric Haszlakiewicz +Date: Sun, 10 May 2020 03:32:19 +0000 +Subject: [PATCH] Issue #599: Fix the backwards check in + lh_table_insert_w_hash() that was preventing adding more than 11 objects. Add + a test to check for this too. +diff --git a/linkhash.c b/linkhash.c +index c48c8d6..233b628 100644 +--- a/linkhash.c ++++ b/linkhash.c +@@ -579,9 +579,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con + { + unsigned long n; + +- if (t->count >= t->size * LH_LOAD_FACTOR) +- if (lh_table_resize(t, t->size * 2) != 0) ++ if (t->count >= t->size * LH_LOAD_FACTOR) { ++ /* Avoid signed integer overflow with large tables. */ ++ int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); ++ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) + return -1; ++ } + + n = h % t->size; + +diff --git a/printbuf.c b/printbuf.c +index 6c77b5d..a8bb42e 100644 +--- a/printbuf.c ++++ b/printbuf.c +@@ -15,6 +15,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -65,9 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) + if (p->size >= min_size) + return 0; + +- new_size = p->size * 2; +- if (new_size < min_size + 8) ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) + new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -82,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; + if (p->size <= p->bpos + size + 1) { + if (printbuf_extend(p, p->bpos + size + 1) < 0) + return -1; +@@ -98,6 +109,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { +diff --git a/tests/test4.c b/tests/test4.c +index fc8b79d..01af1cd 100644 +--- a/tests/test4.c ++++ b/tests/test4.c +@@ -4,6 +4,8 @@ + + #include + #include ++#include ++#include + #include "config.h" + + #include "json_inttypes.h" +@@ -24,6 +26,30 @@ void print_hex(const char* s) + putchar('\n'); + } + ++static void test_lot_of_adds(void); ++static void test_lot_of_adds() ++{ ++ int ii; ++ char key[50]; ++ json_object *jobj = json_object_new_object(); ++ assert(jobj != NULL); ++ for (ii = 0; ii < 500; ii++) ++ { ++ snprintf(key, sizeof(key), "k%d", ii); ++ json_object *iobj = json_object_new_int(ii); ++ assert(iobj != NULL); ++ if (json_object_object_add(jobj, key, iobj)) ++ { ++ fprintf(stderr, "FAILED to add object #%d\n", ii); ++ abort(); ++ } ++ } ++ printf("%s\n", json_object_to_json_string(jobj)); ++ assert(json_object_object_length(jobj) == 500); ++ json_object_put(jobj); ++} ++ ++ + int main(void) + { + const char *input = "\"\\ud840\\udd26,\\ud840\\udd27,\\ud800\\udd26,\\ud800\\udd27\""; +@@ -49,5 +75,6 @@ int main(void) + retval = 1; + } + json_object_put(parse_result); ++ test_lot_of_adds(); + return retval; + } +diff --git a/tests/test4.expected b/tests/test4.expected +index 68d4336..cb27440 100644 +--- a/tests/test4.expected ++++ b/tests/test4.expected +@@ -1,3 +1,4 @@ + input: "\ud840\udd26,\ud840\udd27,\ud800\udd26,\ud800\udd27" + JSON parse result is correct: 𠄦,𠄧,𐄦,𐄧 + PASS ++{ "k0": 0, "k1": 1, "k2": 2, "k3": 3, "k4": 4, "k5": 5, "k6": 6, "k7": 7, "k8": 8, "k9": 9, "k10": 10, "k11": 11, "k12": 12, "k13": 13, "k14": 14, "k15": 15, "k16": 16, "k17": 17, "k18": 18, "k19": 19, "k20": 20, "k21": 21, "k22": 22, "k23": 23, "k24": 24, "k25": 25, "k26": 26, "k27": 27, "k28": 28, "k29": 29, "k30": 30, "k31": 31, "k32": 32, "k33": 33, "k34": 34, "k35": 35, "k36": 36, "k37": 37, "k38": 38, "k39": 39, "k40": 40, "k41": 41, "k42": 42, "k43": 43, "k44": 44, "k45": 45, "k46": 46, "k47": 47, "k48": 48, "k49": 49, "k50": 50, "k51": 51, "k52": 52, "k53": 53, "k54": 54, "k55": 55, "k56": 56, "k57": 57, "k58": 58, "k59": 59, "k60": 60, "k61": 61, "k62": 62, "k63": 63, "k64": 64, "k65": 65, "k66": 66, "k67": 67, "k68": 68, "k69": 69, "k70": 70, "k71": 71, "k72": 72, "k73": 73, "k74": 74, "k75": 75, "k76": 76, "k77": 77, "k78": 78, "k79": 79, "k80": 80, "k81": 81, "k82": 82, "k83": 83, "k84": 84, "k85": 85, "k86": 86, "k87": 87, "k88": 88, "k89": 89, "k90": 90, "k91": 91, "k92": 92, "k93": 93, "k94": 94, "k95": 95, "k96": 96, "k97": 97, "k98": 98, "k99": 99, "k100": 100, "k101": 101, "k102": 102, "k103": 103, "k104": 104, "k105": 105, "k106": 106, "k107": 107, "k108": 108, "k109": 109, "k110": 110, "k111": 111, "k112": 112, "k113": 113, "k114": 114, "k115": 115, "k116": 116, "k117": 117, "k118": 118, "k119": 119, "k120": 120, "k121": 121, "k122": 122, "k123": 123, "k124": 124, "k125": 125, "k126": 126, "k127": 127, "k128": 128, "k129": 129, "k130": 130, "k131": 131, "k132": 132, "k133": 133, "k134": 134, "k135": 135, "k136": 136, "k137": 137, "k138": 138, "k139": 139, "k140": 140, "k141": 141, "k142": 142, "k143": 143, "k144": 144, "k145": 145, "k146": 146, "k147": 147, "k148": 148, "k149": 149, "k150": 150, "k151": 151, "k152": 152, "k153": 153, "k154": 154, "k155": 155, "k156": 156, "k157": 157, "k158": 158, "k159": 159, "k160": 160, "k161": 161, "k162": 162, "k163": 163, "k164": 164, "k165": 165, "k166": 166, "k167": 167, "k168": 168, "k169": 169, "k170": 170, "k171": 171, "k172": 172, "k173": 173, "k174": 174, "k175": 175, "k176": 176, "k177": 177, "k178": 178, "k179": 179, "k180": 180, "k181": 181, "k182": 182, "k183": 183, "k184": 184, "k185": 185, "k186": 186, "k187": 187, "k188": 188, "k189": 189, "k190": 190, "k191": 191, "k192": 192, "k193": 193, "k194": 194, "k195": 195, "k196": 196, "k197": 197, "k198": 198, "k199": 199, "k200": 200, "k201": 201, "k202": 202, "k203": 203, "k204": 204, "k205": 205, "k206": 206, "k207": 207, "k208": 208, "k209": 209, "k210": 210, "k211": 211, "k212": 212, "k213": 213, "k214": 214, "k215": 215, "k216": 216, "k217": 217, "k218": 218, "k219": 219, "k220": 220, "k221": 221, "k222": 222, "k223": 223, "k224": 224, "k225": 225, "k226": 226, "k227": 227, "k228": 228, "k229": 229, "k230": 230, "k231": 231, "k232": 232, "k233": 233, "k234": 234, "k235": 235, "k236": 236, "k237": 237, "k238": 238, "k239": 239, "k240": 240, "k241": 241, "k242": 242, "k243": 243, "k244": 244, "k245": 245, "k246": 246, "k247": 247, "k248": 248, "k249": 249, "k250": 250, "k251": 251, "k252": 252, "k253": 253, "k254": 254, "k255": 255, "k256": 256, "k257": 257, "k258": 258, "k259": 259, "k260": 260, "k261": 261, "k262": 262, "k263": 263, "k264": 264, "k265": 265, "k266": 266, "k267": 267, "k268": 268, "k269": 269, "k270": 270, "k271": 271, "k272": 272, "k273": 273, "k274": 274, "k275": 275, "k276": 276, "k277": 277, "k278": 278, "k279": 279, "k280": 280, "k281": 281, "k282": 282, "k283": 283, "k284": 284, "k285": 285, "k286": 286, "k287": 287, "k288": 288, "k289": 289, "k290": 290, "k291": 291, "k292": 292, "k293": 293, "k294": 294, "k295": 295, "k296": 296, "k297": 297, "k298": 298, "k299": 299, "k300": 300, "k301": 301, "k302": 302, "k303": 303, "k304": 304, "k305": 305, "k306": 306, "k307": 307, "k308": 308, "k309": 309, "k310": 310, "k311": 311, "k312": 312, "k313": 313, "k314": 314, "k315": 315, "k316": 316, "k317": 317, "k318": 318, "k319": 319, "k320": 320, "k321": 321, "k322": 322, "k323": 323, "k324": 324, "k325": 325, "k326": 326, "k327": 327, "k328": 328, "k329": 329, "k330": 330, "k331": 331, "k332": 332, "k333": 333, "k334": 334, "k335": 335, "k336": 336, "k337": 337, "k338": 338, "k339": 339, "k340": 340, "k341": 341, "k342": 342, "k343": 343, "k344": 344, "k345": 345, "k346": 346, "k347": 347, "k348": 348, "k349": 349, "k350": 350, "k351": 351, "k352": 352, "k353": 353, "k354": 354, "k355": 355, "k356": 356, "k357": 357, "k358": 358, "k359": 359, "k360": 360, "k361": 361, "k362": 362, "k363": 363, "k364": 364, "k365": 365, "k366": 366, "k367": 367, "k368": 368, "k369": 369, "k370": 370, "k371": 371, "k372": 372, "k373": 373, "k374": 374, "k375": 375, "k376": 376, "k377": 377, "k378": 378, "k379": 379, "k380": 380, "k381": 381, "k382": 382, "k383": 383, "k384": 384, "k385": 385, "k386": 386, "k387": 387, "k388": 388, "k389": 389, "k390": 390, "k391": 391, "k392": 392, "k393": 393, "k394": 394, "k395": 395, "k396": 396, "k397": 397, "k398": 398, "k399": 399, "k400": 400, "k401": 401, "k402": 402, "k403": 403, "k404": 404, "k405": 405, "k406": 406, "k407": 407, "k408": 408, "k409": 409, "k410": 410, "k411": 411, "k412": 412, "k413": 413, "k414": 414, "k415": 415, "k416": 416, "k417": 417, "k418": 418, "k419": 419, "k420": 420, "k421": 421, "k422": 422, "k423": 423, "k424": 424, "k425": 425, "k426": 426, "k427": 427, "k428": 428, "k429": 429, "k430": 430, "k431": 431, "k432": 432, "k433": 433, "k434": 434, "k435": 435, "k436": 436, "k437": 437, "k438": 438, "k439": 439, "k440": 440, "k441": 441, "k442": 442, "k443": 443, "k444": 444, "k445": 445, "k446": 446, "k447": 447, "k448": 448, "k449": 449, "k450": 450, "k451": 451, "k452": 452, "k453": 453, "k454": 454, "k455": 455, "k456": 456, "k457": 457, "k458": 458, "k459": 459, "k460": 460, "k461": 461, "k462": 462, "k463": 463, "k464": 464, "k465": 465, "k466": 466, "k467": 467, "k468": 468, "k469": 469, "k470": 470, "k471": 471, "k472": 472, "k473": 473, "k474": 474, "k475": 475, "k476": 476, "k477": 477, "k478": 478, "k479": 479, "k480": 480, "k481": 481, "k482": 482, "k483": 483, "k484": 484, "k485": 485, "k486": 486, "k487": 487, "k488": 488, "k489": 489, "k490": 490, "k491": 491, "k492": 492, "k493": 493, "k494": 494, "k495": 495, "k496": 496, "k497": 497, "k498": 498, "k499": 499 } diff -Nru json-c4-0.13.1+dfsg/debian/patches/series json-c4-0.13.1+dfsg/debian/patches/series --- json-c4-0.13.1+dfsg/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ json-c4-0.13.1+dfsg/debian/patches/series 2020-05-25 17:59:19.000000000 +0000 @@ -0,0 +1,3 @@ +CVE-2020-12762-1.patch +CVE-2020-12762-2.patch +CVE-2020-12762-3.patch