[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: jansson: Update to 2.9.
From: |
Leo Famulari |
Subject: |
01/01: gnu: jansson: Update to 2.9. |
Date: |
Mon, 7 Nov 2016 00:50:40 +0000 (UTC) |
lfam pushed a commit to branch master
in repository guix.
commit 14ac8e4865206f5cd1278cd962d01ce27890d51f
Author: Leo Famulari <address@hidden>
Date: Sun Nov 6 19:49:03 2016 -0500
gnu: jansson: Update to 2.9.
* gnu/packages/web.scm (jansson): Update to 2.9.
[source]: Remove 'jansson-CVE-2016-4425.patch'.
* gnu/packages/patches/jansson-CVE-2016-4425.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/patches/jansson-CVE-2016-4425.patch | 125 ----------------------
gnu/packages/web.scm | 5 +-
3 files changed, 2 insertions(+), 129 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 531e29b..aaa9f5c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -613,7 +613,6 @@ dist_patch_DATA =
\
%D%/packages/patches/id3lib-CVE-2007-4460.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
%D%/packages/patches/inkscape-drop-wait-for-targets.patch \
- %D%/packages/patches/jansson-CVE-2016-4425.patch \
%D%/packages/patches/jbig2dec-ignore-testtest.patch \
%D%/packages/patches/jq-CVE-2015-8863.patch \
%D%/packages/patches/khmer-use-libraries.patch \
diff --git a/gnu/packages/patches/jansson-CVE-2016-4425.patch
b/gnu/packages/patches/jansson-CVE-2016-4425.patch
deleted file mode 100644
index ebe9aa7..0000000
--- a/gnu/packages/patches/jansson-CVE-2016-4425.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 64ce0ad3731ebd77e02897b07920eadd0e2cc318 Mon Sep 17 00:00:00 2001
-From: Dmitry Janushkevich <address@hidden>
-Date: Mon, 2 May 2016 13:59:26 +0200
-Subject: [PATCH] Fix for issue #282
-
-The fix limits recursion depths when parsing arrays and objects.
-The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
-within `jansson_config.h` and is set by default to 2048.
-
-Update the RFC conformance document to note the limit; the RFC
-allows limits to be set by the implementation so nothing has
-actually changed w.r.t. conformance state.
-
-Reported by Gustavo Grieco.
----
- android/jansson_config.h | 4 ++++
- cmake/jansson_config.h.cmake | 4 ++++
- doc/conformance.rst | 10 ++++++++++
- src/jansson_config.h.in | 4 ++++
- src/load.c | 10 ++++++++++
- test/suites/invalid/recursion-depth/error | 2 ++
- test/suites/invalid/recursion-depth/input | 1 +
- 7 files changed, 35 insertions(+)
- create mode 100644 test/suites/invalid/recursion-depth/error
- create mode 100644 test/suites/invalid/recursion-depth/input
-
---- a/android/jansson_config.h
-+++ b/android/jansson_config.h
-@@ -36,4 +36,8 @@
- otherwise to 0. */
- #define JSON_HAVE_LOCALECONV 0
-
-+/* Maximum recursion depth for parsing JSON input.
-+ This limits the depth of e.g. array-within-array constructions. */
-+#define JSON_PARSER_MAX_DEPTH 2048
-+
- #endif
---- a/cmake/jansson_config.h.cmake
-+++ b/cmake/jansson_config.h.cmake
-@@ -60,5 +60,9 @@
- #define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
-
-
-+/* Maximum recursion depth for parsing JSON input.
-+ This limits the depth of e.g. array-within-array constructions. */
-+#define JSON_PARSER_MAX_DEPTH 2048
-+
-
- #endif
---- a/doc/conformance.rst
-+++ b/doc/conformance.rst
-@@ -108,3 +108,13 @@
- are implicitly handled via the ordinary C type coercion rules (subject
- to overflow semantics). Also, no support or hooks are provided for any
- supplemental "bignum" type add-on packages.
-+
-+Depth of nested values
-+----------------------
-+
-+To avoid stack exhaustion, Jansson currently limits the nesting depth
-+for arrays and objects to a certain value (default: 2048), defined as
-+a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
-+
-+The limit is allowed to be set by the RFC; there is no recommended value
-+or required minimum depth to be supported.
---- a/src/jansson_config.h.in
-+++ b/src/jansson_config.h.in
-@@ -36,4 +36,8 @@
- otherwise to 0. */
- #define JSON_HAVE_LOCALECONV @json_have_localeconv@
-
-+/* Maximum recursion depth for parsing JSON input.
-+ This limits the depth of e.g. array-within-array constructions. */
-+#define JSON_PARSER_MAX_DEPTH 2048
-+
- #endif
---- a/src/load.c
-+++ b/src/load.c
-@@ -61,6 +61,7 @@
- typedef struct {
- stream_t stream;
- strbuffer_t saved_text;
-+ size_t depth;
- int token;
- union {
- struct {
-@@ -800,6 +801,12 @@
- json_t *json;
- double value;
-
-+ lex->depth++;
-+ if(lex->depth > JSON_PARSER_MAX_DEPTH) {
-+ error_set(error, lex, "maximum parsing depth reached");
-+ return NULL;
-+ }
-+
- switch(lex->token) {
- case TOKEN_STRING: {
- const char *value = lex->value.string.val;
-@@ -870,6 +877,7 @@
- if(!json)
- return NULL;
-
-+ lex->depth--;
- return json;
- }
-
-@@ -877,6 +885,8 @@
- {
- json_t *result;
-
-+ lex->depth = 0;
-+
- lex_scan(lex, error);
- if(!(flags & JSON_DECODE_ANY)) {
- if(lex->token != '[' && lex->token != '{') {
---- /dev/null
-+++ b/test/suites/invalid/recursion-depth/error
-@@ -0,0 +1,2 @@
-+1 2049 2049
-+maximum parsing depth reached near '['
---- /dev/null
-+++ b/test/suites/invalid/recursion-depth/input
-@@ -0,0 +1 @@
-+[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
[...]
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 9ea9503..119c36b 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -236,7 +236,7 @@ and UNIX socket support.")
(define-public jansson
(package
(name "jansson")
- (version "2.7")
+ (version "2.9")
(source (origin
(method url-fetch)
(uri
@@ -244,8 +244,7 @@ and UNIX socket support.")
version ".tar.gz"))
(sha256
(base32
- "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"))
- (patches (search-patches "jansson-CVE-2016-4425.patch"))))
+ "19fjgfwjfj99rqa3kf96x5rssj88siazggksgrikd6h4r9sd1l0a"))))
(build-system gnu-build-system)
(home-page "http://www.digip.org/jansson/")
(synopsis "JSON C library")