[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnu: jansson: Fix CVE-2016-4425.
From: |
Efraim Flashner |
Subject: |
02/02: gnu: jansson: Fix CVE-2016-4425. |
Date: |
Mon, 30 May 2016 06:58:12 +0000 (UTC) |
efraim pushed a commit to branch master
in repository guix.
commit 538884ccef762c3410bf2a75af236803eca6b024
Author: Efraim Flashner <address@hidden>
Date: Mon May 30 09:56:39 2016 +0300
gnu: jansson: Fix CVE-2016-4425.
* gnu/packages/web.scm (jansson)[source]: Add patch.
* gnu/packages/patches/jansson-CVE-2016-4425.patch: New variable.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/patches/jansson-CVE-2016-4425.patch | 125 ++++++++++++++++++++++
gnu/packages/web.scm | 3 +-
3 files changed, 128 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 4dda1fa..63ac668 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -551,6 +551,7 @@ dist_patch_DATA =
\
%D%/packages/patches/ilmbase-fix-tests.patch \
%D%/packages/patches/inkscape-drop-wait-for-targets.patch \
%D%/packages/patches/irrlicht-mesa-10.patch \
+ %D%/packages/patches/jansson-CVE-2016-4425.patch \
%D%/packages/patches/jasper-CVE-2007-2721.patch \
%D%/packages/patches/jasper-CVE-2008-3520.patch \
%D%/packages/patches/jasper-CVE-2008-3522.patch \
diff --git a/gnu/packages/patches/jansson-CVE-2016-4425.patch
b/gnu/packages/patches/jansson-CVE-2016-4425.patch
new file mode 100644
index 0000000..ebe9aa7
--- /dev/null
+++ b/gnu/packages/patches/jansson-CVE-2016-4425.patch
@@ -0,0 +1,125 @@
+From 64ce0ad3731ebd77e02897b07920eadd0e2cc318 Mon Sep 17 00:00:00 2001
+From: Dmitry Janushkevich <address@hidden>
+Date: Mon, 2 May 2016 13:59:26 +0200
+Subject: [PATCH] Fix for issue #282
+
+The fix limits recursion depths when parsing arrays and objects.
+The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
+within `jansson_config.h` and is set by default to 2048.
+
+Update the RFC conformance document to note the limit; the RFC
+allows limits to be set by the implementation so nothing has
+actually changed w.r.t. conformance state.
+
+Reported by Gustavo Grieco.
+---
+ android/jansson_config.h | 4 ++++
+ cmake/jansson_config.h.cmake | 4 ++++
+ doc/conformance.rst | 10 ++++++++++
+ src/jansson_config.h.in | 4 ++++
+ src/load.c | 10 ++++++++++
+ test/suites/invalid/recursion-depth/error | 2 ++
+ test/suites/invalid/recursion-depth/input | 1 +
+ 7 files changed, 35 insertions(+)
+ create mode 100644 test/suites/invalid/recursion-depth/error
+ create mode 100644 test/suites/invalid/recursion-depth/input
+
+--- a/android/jansson_config.h
++++ b/android/jansson_config.h
+@@ -36,4 +36,8 @@
+ otherwise to 0. */
+ #define JSON_HAVE_LOCALECONV 0
+
++/* Maximum recursion depth for parsing JSON input.
++ This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+ #endif
+--- a/cmake/jansson_config.h.cmake
++++ b/cmake/jansson_config.h.cmake
+@@ -60,5 +60,9 @@
+ #define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
+
+
++/* Maximum recursion depth for parsing JSON input.
++ This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+
+ #endif
+--- a/doc/conformance.rst
++++ b/doc/conformance.rst
+@@ -108,3 +108,13 @@
+ are implicitly handled via the ordinary C type coercion rules (subject
+ to overflow semantics). Also, no support or hooks are provided for any
+ supplemental "bignum" type add-on packages.
++
++Depth of nested values
++----------------------
++
++To avoid stack exhaustion, Jansson currently limits the nesting depth
++for arrays and objects to a certain value (default: 2048), defined as
++a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
++
++The limit is allowed to be set by the RFC; there is no recommended value
++or required minimum depth to be supported.
+--- a/src/jansson_config.h.in
++++ b/src/jansson_config.h.in
+@@ -36,4 +36,8 @@
+ otherwise to 0. */
+ #define JSON_HAVE_LOCALECONV @json_have_localeconv@
+
++/* Maximum recursion depth for parsing JSON input.
++ This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+ #endif
+--- a/src/load.c
++++ b/src/load.c
+@@ -61,6 +61,7 @@
+ typedef struct {
+ stream_t stream;
+ strbuffer_t saved_text;
++ size_t depth;
+ int token;
+ union {
+ struct {
+@@ -800,6 +801,12 @@
+ json_t *json;
+ double value;
+
++ lex->depth++;
++ if(lex->depth > JSON_PARSER_MAX_DEPTH) {
++ error_set(error, lex, "maximum parsing depth reached");
++ return NULL;
++ }
++
+ switch(lex->token) {
+ case TOKEN_STRING: {
+ const char *value = lex->value.string.val;
+@@ -870,6 +877,7 @@
+ if(!json)
+ return NULL;
+
++ lex->depth--;
+ return json;
+ }
+
+@@ -877,6 +885,8 @@
+ {
+ json_t *result;
+
++ lex->depth = 0;
++
+ lex_scan(lex, error);
+ if(!(flags & JSON_DECODE_ANY)) {
+ if(lex->token != '[' && lex->token != '{') {
+--- /dev/null
++++ b/test/suites/invalid/recursion-depth/error
+@@ -0,0 +1,2 @@
++1 2049 2049
++maximum parsing depth reached near '['
+--- /dev/null
++++ b/test/suites/invalid/recursion-depth/input
+@@ -0,0 +1 @@
++[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
[...]
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 7cadf9b..9a7f9d2 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -232,7 +232,8 @@ and UNIX socket support.")
version ".tar.gz"))
(sha256
(base32
- "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"))))
+ "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"))
+ (patches (search-patches "jansson-CVE-2016-4425.patch"))))
(build-system gnu-build-system)
(home-page "http://www.digip.org/jansson/")
(synopsis "JSON C library")