diff mbox series

[kirkstone,v2] json-c: fix CVE-2021-32292

Message ID 20230829170046.231673-1-adrian.freihofer@siemens.com
State New, archived
Headers show
Series [kirkstone,v2] json-c: fix CVE-2021-32292 | expand

Commit Message

Adrian Freihofer Aug. 29, 2023, 5 p.m. UTC 
This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292

Upstream issue:
https://github.com/json-c/json-c/issues/654

The CVE is fixed with version 0.16 (which is already in all active
branches of poky).

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 .../json-c/json-c/CVE-2021-32292.patch        | 30 +++++++++++++++++++
 meta/recipes-devtools/json-c/json-c_0.15.bb   |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch

Comments

Steve Sakoman Aug. 30, 2023, 4:25 p.m. UTC | #1 
On Tue, Aug 29, 2023 at 7:01 AM Adrian Freihofer
<adrian.freihofer@gmail.com> wrote:
>
> This is a read past end of buffer issue in the json_parse test app,
> which can happened with malformed json data. It's not an issue with the
> library itself. For what ever reason this CVE has a base score of 9.8.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2021-32292
>
> Upstream issue:
> https://github.com/json-c/json-c/issues/654
>
> The CVE is fixed with version 0.16 (which is already in all active
> branches of poky).
>
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
>  .../json-c/json-c/CVE-2021-32292.patch        | 30 +++++++++++++++++++
>  meta/recipes-devtools/json-c/json-c_0.15.bb   |  1 +
>  2 files changed, 31 insertions(+)
>  create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
>
> diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
> new file mode 100644
> index 0000000000..7ac08c4cb0
> --- /dev/null
> +++ b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
> @@ -0,0 +1,30 @@
> +From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001
> +From: Marc <34656315+MarcT512@users.noreply.github.com>
> +Date: Fri, 7 Aug 2020 10:49:45 +0100
> +Subject: [PATCH] Fix read past end of buffer
> +
> +Fixes: CVE-2021-32292
> +Issue: https://github.com/json-c/json-c/issues/654
> +
> +Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec]

Should be Upstream-Status (you missed the dash).  I've fixed it, but
something to keep in mind next time, otherwise an error at build time:

ERROR: json-c-0.15-r0 do_patch: Malformed Upstream-Status in patch
/home/steve/builds/poky-contrib-kirkstone/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
Please correct according to
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status
:
Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec]

Steve

> +CVE: CVE-2021-32292
> +
> +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> +---
> + apps/json_parse.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/apps/json_parse.c b/apps/json_parse.c
> +index bba4622..72b31a8 100644
> +--- a/apps/json_parse.c
> ++++ b/apps/json_parse.c
> +@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *))
> +                       int parse_end = json_tokener_get_parse_end(tok);
> +                       if (obj == NULL && jerr != json_tokener_continue)
> +                       {
> +-                              char *aterr = &buf[start_pos + parse_end];
> ++                              char *aterr = (start_pos + parse_end < sizeof(buf)) ?
> ++                                      &buf[start_pos + parse_end] : "";
> +                               fflush(stdout);
> +                               int fail_offset = total_read - ret + start_pos + parse_end;
> +                               fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset,
> diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb
> index 7cbed55b3b..4da30bc50c 100644
> --- a/meta/recipes-devtools/json-c/json-c_0.15.bb
> +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb
> @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
>  SRC_URI = " \
>      https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
>      file://run-ptest \
> +    file://CVE-2021-32292.patch \
>  "
>
>  SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6"
> --
> 2.41.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#186865): https://lists.openembedded.org/g/openembedded-core/message/186865
> Mute This Topic: https://lists.openembedded.org/mt/101035436/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
new file mode 100644
index 0000000000..7ac08c4cb0
--- /dev/null
+++ b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
@@ -0,0 +1,30 @@ 
+From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001
+From: Marc <34656315+MarcT512@users.noreply.github.com>
+Date: Fri, 7 Aug 2020 10:49:45 +0100
+Subject: [PATCH] Fix read past end of buffer
+
+Fixes: CVE-2021-32292
+Issue: https://github.com/json-c/json-c/issues/654
+
+Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec]
+CVE: CVE-2021-32292
+
+Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
+---
+ apps/json_parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/json_parse.c b/apps/json_parse.c
+index bba4622..72b31a8 100644
+--- a/apps/json_parse.c
++++ b/apps/json_parse.c
+@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *))
+ 			int parse_end = json_tokener_get_parse_end(tok);
+ 			if (obj == NULL && jerr != json_tokener_continue)
+ 			{
+-				char *aterr = &buf[start_pos + parse_end];
++				char *aterr = (start_pos + parse_end < sizeof(buf)) ?
++					&buf[start_pos + parse_end] : "";
+ 				fflush(stdout);
+ 				int fail_offset = total_read - ret + start_pos + parse_end;
+ 				fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset,
diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb
index 7cbed55b3b..4da30bc50c 100644
--- a/meta/recipes-devtools/json-c/json-c_0.15.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.15.bb
@@ -7,6 +7,7 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
 SRC_URI = " \
     https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
     file://run-ptest \
+    file://CVE-2021-32292.patch \
 "
 
 SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6"