guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: gnu: jansson: Fix CVE-2016-4425.


From: Efraim Flashner
Subject: 02/02: gnu: jansson: Fix CVE-2016-4425.
Date: Mon, 30 May 2016 06:58:12 +0000 (UTC)

efraim pushed a commit to branch master
in repository guix.

commit 538884ccef762c3410bf2a75af236803eca6b024
Author: Efraim Flashner <address@hidden>
Date:   Mon May 30 09:56:39 2016 +0300

    gnu: jansson: Fix CVE-2016-4425.
    
    * gnu/packages/web.scm (jansson)[source]: Add patch.
    * gnu/packages/patches/jansson-CVE-2016-4425.patch: New variable.
    * gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                     |    1 +
 gnu/packages/patches/jansson-CVE-2016-4425.patch |  125 ++++++++++++++++++++++
 gnu/packages/web.scm                             |    3 +-
 3 files changed, 128 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 4dda1fa..63ac668 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -551,6 +551,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/ilmbase-fix-tests.patch                 \
   %D%/packages/patches/inkscape-drop-wait-for-targets.patch    \
   %D%/packages/patches/irrlicht-mesa-10.patch                  \
+  %D%/packages/patches/jansson-CVE-2016-4425.patch             \
   %D%/packages/patches/jasper-CVE-2007-2721.patch              \
   %D%/packages/patches/jasper-CVE-2008-3520.patch              \
   %D%/packages/patches/jasper-CVE-2008-3522.patch              \
diff --git a/gnu/packages/patches/jansson-CVE-2016-4425.patch 
b/gnu/packages/patches/jansson-CVE-2016-4425.patch
new file mode 100644
index 0000000..ebe9aa7
--- /dev/null
+++ b/gnu/packages/patches/jansson-CVE-2016-4425.patch
@@ -0,0 +1,125 @@
+From 64ce0ad3731ebd77e02897b07920eadd0e2cc318 Mon Sep 17 00:00:00 2001
+From: Dmitry Janushkevich <address@hidden>
+Date: Mon, 2 May 2016 13:59:26 +0200
+Subject: [PATCH] Fix for issue #282
+
+The fix limits recursion depths when parsing arrays and objects.
+The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
+within `jansson_config.h` and is set by default to 2048.
+
+Update the RFC conformance document to note the limit; the RFC
+allows limits to be set by the implementation so nothing has
+actually changed w.r.t. conformance state.
+
+Reported by Gustavo Grieco.
+---
+ android/jansson_config.h                  |  4 ++++
+ cmake/jansson_config.h.cmake              |  4 ++++
+ doc/conformance.rst                       | 10 ++++++++++
+ src/jansson_config.h.in                   |  4 ++++
+ src/load.c                                | 10 ++++++++++
+ test/suites/invalid/recursion-depth/error |  2 ++
+ test/suites/invalid/recursion-depth/input |  1 +
+ 7 files changed, 35 insertions(+)
+ create mode 100644 test/suites/invalid/recursion-depth/error
+ create mode 100644 test/suites/invalid/recursion-depth/input
+
+--- a/android/jansson_config.h
++++ b/android/jansson_config.h
+@@ -36,4 +36,8 @@
+    otherwise to 0. */
+ #define JSON_HAVE_LOCALECONV 0
+ 
++/* Maximum recursion depth for parsing JSON input.
++   This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+ #endif
+--- a/cmake/jansson_config.h.cmake
++++ b/cmake/jansson_config.h.cmake
+@@ -60,5 +60,9 @@
+ #define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
+ 
+ 
++/* Maximum recursion depth for parsing JSON input.
++   This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+ 
+ #endif
+--- a/doc/conformance.rst
++++ b/doc/conformance.rst
+@@ -108,3 +108,13 @@
+ are implicitly handled via the ordinary C type coercion rules (subject
+ to overflow semantics). Also, no support or hooks are provided for any
+ supplemental "bignum" type add-on packages.
++
++Depth of nested values
++----------------------
++
++To avoid stack exhaustion, Jansson currently limits the nesting depth
++for arrays and objects to a certain value (default: 2048), defined as
++a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
++
++The limit is allowed to be set by the RFC; there is no recommended value
++or required minimum depth to be supported.
+--- a/src/jansson_config.h.in
++++ b/src/jansson_config.h.in
+@@ -36,4 +36,8 @@
+    otherwise to 0. */
+ #define JSON_HAVE_LOCALECONV @json_have_localeconv@
+ 
++/* Maximum recursion depth for parsing JSON input.
++   This limits the depth of e.g. array-within-array constructions. */
++#define JSON_PARSER_MAX_DEPTH 2048
++
+ #endif
+--- a/src/load.c
++++ b/src/load.c
+@@ -61,6 +61,7 @@
+ typedef struct {
+     stream_t stream;
+     strbuffer_t saved_text;
++    size_t depth;
+     int token;
+     union {
+         struct {
+@@ -800,6 +801,12 @@
+     json_t *json;
+     double value;
+ 
++    lex->depth++;
++    if(lex->depth > JSON_PARSER_MAX_DEPTH) {
++        error_set(error, lex, "maximum parsing depth reached");
++        return NULL;
++    }
++
+     switch(lex->token) {
+         case TOKEN_STRING: {
+             const char *value = lex->value.string.val;
+@@ -870,6 +877,7 @@
+     if(!json)
+         return NULL;
+ 
++    lex->depth--;
+     return json;
+ }
+ 
+@@ -877,6 +885,8 @@
+ {
+     json_t *result;
+ 
++    lex->depth = 0;
++
+     lex_scan(lex, error);
+     if(!(flags & JSON_DECODE_ANY)) {
+         if(lex->token != '[' && lex->token != '{') {
+--- /dev/null
++++ b/test/suites/invalid/recursion-depth/error
+@@ -0,0 +1,2 @@
++1 2049 2049
++maximum parsing depth reached near '['
+--- /dev/null
++++ b/test/suites/invalid/recursion-depth/input
+@@ -0,0 +1 @@
++[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
 [...]
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 7cadf9b..9a7f9d2 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -232,7 +232,8 @@ and UNIX socket support.")
                              version ".tar.gz"))
              (sha256
               (base32
-               "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"))))
+               "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"))
+             (patches (search-patches "jansson-CVE-2016-4425.patch"))))
     (build-system gnu-build-system)
     (home-page "http://www.digip.org/jansson/";)
     (synopsis "JSON C library")



reply via email to

[Prev in Thread] Current Thread [Next in Thread]