Message ID | 20230829170046.231673-1-adrian.freihofer@siemens.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone,v2] json-c: fix CVE-2021-32292 | expand |
On Tue, Aug 29, 2023 at 7:01 AM Adrian Freihofer <adrian.freihofer@gmail.com> wrote: > > This is a read past end of buffer issue in the json_parse test app, > which can happened with malformed json data. It's not an issue with the > library itself. For what ever reason this CVE has a base score of 9.8. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2021-32292 > > Upstream issue: > https://github.com/json-c/json-c/issues/654 > > The CVE is fixed with version 0.16 (which is already in all active > branches of poky). > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > --- > .../json-c/json-c/CVE-2021-32292.patch | 30 +++++++++++++++++++ > meta/recipes-devtools/json-c/json-c_0.15.bb | 1 + > 2 files changed, 31 insertions(+) > create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch > > diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch > new file mode 100644 > index 0000000000..7ac08c4cb0 > --- /dev/null > +++ b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch > @@ -0,0 +1,30 @@ > +From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001 > +From: Marc <34656315+MarcT512@users.noreply.github.com> > +Date: Fri, 7 Aug 2020 10:49:45 +0100 > +Subject: [PATCH] Fix read past end of buffer > + > +Fixes: CVE-2021-32292 > +Issue: https://github.com/json-c/json-c/issues/654 > + > +Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec] Should be Upstream-Status (you missed the dash). I've fixed it, but something to keep in mind next time, otherwise an error at build time: ERROR: json-c-0.15-r0 do_patch: Malformed Upstream-Status in patch /home/steve/builds/poky-contrib-kirkstone/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch Please correct according to https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status : Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec] Steve > +CVE: CVE-2021-32292 > + > +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > +--- > + apps/json_parse.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/apps/json_parse.c b/apps/json_parse.c > +index bba4622..72b31a8 100644 > +--- a/apps/json_parse.c > ++++ b/apps/json_parse.c > +@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *)) > + int parse_end = json_tokener_get_parse_end(tok); > + if (obj == NULL && jerr != json_tokener_continue) > + { > +- char *aterr = &buf[start_pos + parse_end]; > ++ char *aterr = (start_pos + parse_end < sizeof(buf)) ? > ++ &buf[start_pos + parse_end] : ""; > + fflush(stdout); > + int fail_offset = total_read - ret + start_pos + parse_end; > + fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset, > diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb > index 7cbed55b3b..4da30bc50c 100644 > --- a/meta/recipes-devtools/json-c/json-c_0.15.bb > +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb > @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" > SRC_URI = " \ > https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ > file://run-ptest \ > + file://CVE-2021-32292.patch \ > " > > SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" > -- > 2.41.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#186865): https://lists.openembedded.org/g/openembedded-core/message/186865 > Mute This Topic: https://lists.openembedded.org/mt/101035436/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch new file mode 100644 index 0000000000..7ac08c4cb0 --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch @@ -0,0 +1,30 @@ +From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001 +From: Marc <34656315+MarcT512@users.noreply.github.com> +Date: Fri, 7 Aug 2020 10:49:45 +0100 +Subject: [PATCH] Fix read past end of buffer + +Fixes: CVE-2021-32292 +Issue: https://github.com/json-c/json-c/issues/654 + +Upstream Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec] +CVE: CVE-2021-32292 + +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> +--- + apps/json_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/apps/json_parse.c b/apps/json_parse.c +index bba4622..72b31a8 100644 +--- a/apps/json_parse.c ++++ b/apps/json_parse.c +@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *)) + int parse_end = json_tokener_get_parse_end(tok); + if (obj == NULL && jerr != json_tokener_continue) + { +- char *aterr = &buf[start_pos + parse_end]; ++ char *aterr = (start_pos + parse_end < sizeof(buf)) ? ++ &buf[start_pos + parse_end] : ""; + fflush(stdout); + int fail_offset = total_read - ret + start_pos + parse_end; + fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset, diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb index 7cbed55b3b..4da30bc50c 100644 --- a/meta/recipes-devtools/json-c/json-c_0.15.bb +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" SRC_URI = " \ https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ file://run-ptest \ + file://CVE-2021-32292.patch \ " SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6"
This is a read past end of buffer issue in the json_parse test app, which can happened with malformed json data. It's not an issue with the library itself. For what ever reason this CVE has a base score of 9.8. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32292 Upstream issue: https://github.com/json-c/json-c/issues/654 The CVE is fixed with version 0.16 (which is already in all active branches of poky). Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- .../json-c/json-c/CVE-2021-32292.patch | 30 +++++++++++++++++++ meta/recipes-devtools/json-c/json-c_0.15.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch