CVE-2023-1370

(cherry picked from commit 31c15603cbe33aea19298600b02ba3653f170ef1)
2023-04-04 20:29:58 +08:00 · 2023-04-04 20:29:58 +08:00 · 9401af0c59
commit 9401af0c59
parent 5bcdbf79e2
2 changed files with 162 additions and 2 deletions
--- a/CVE-2023-1370.patch
+++ b/CVE-2023-1370.patch
@ -0,0 +1,156 @@
+From: UrielCh <uriel.chemouni@gmail.com>
+Date: Sun, 5 Mar 2023 13:01:10 +0200
+Subject: CVE-2023-1370: stack overflow due to excessive recursion
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software.
+
+origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
+---
+ .../net/minidev/json/parser/JSONParserBase.java    | 17 +++++++++++++-
+ .../net/minidev/json/parser/ParseException.java    |  9 +++++++-
+ .../java/net/minidev/json/test/TestOverflow.java   | 27 ++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+index 96d6bb6..f65b8c5 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
+import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
+ 
+ import java.io.IOException;
+ import java.math.BigDecimal;
+@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
+  */
+ abstract class JSONParserBase {
+ 	protected char c;
+   	/**
+	 * hard coded maximal depth for JSON parsing
+	 */
+	public final static int MAX_DEPTH = 400;
+	protected int depth = 0;
+
+ 	JsonReader base;
+ 	public final static byte EOI = 0x1A;
+ 	protected static final char MAX_STOP = 126; // '}' -> 125
+@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+ 	abstract protected void read() throws IOException;
+ 
+ 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
+-		Object current = mapper.createArray();
+ 		if (c != '[')
+ 			throw new RuntimeException("Internal Error");
+		if (++this.depth > MAX_DEPTH) {
+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
+		}
+		Object current = mapper.createArray();
+ 		read();
+ 		boolean needData = false;
+ 		//
+@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ 			case ']':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
+				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+ 		//
+ 		if (c != '{')
+ 			throw new RuntimeException("Internal Error");
+		if (++this.depth > MAX_DEPTH) {
+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
+		}
+ 		Object current = mapper.createObject();
+ 		boolean needData = false;
+ 		boolean acceptData = true;
+@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+ 			case '}':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
+				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+index e652cf2..42f11f2 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+@@ -1,7 +1,7 @@
+ package net.minidev.json.parser;
+ 
+ /*
+- *    Copyright 2011 JSON-SMART authors
+ *    Copyright 2011-2023 JSON-SMART authors
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -30,6 +30,7 @@ public class ParseException extends Exception {
+ 	public static final int ERROR_UNEXPECTED_UNICODE = 4;
+ 	public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
+ 	public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
+	public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
+ 
+ 	private int errorType;
+ 	private Object unexpectedObject;
+@@ -114,6 +115,12 @@ public class ParseException extends Exception {
+ 			sb.append(" at position ");
+ 			sb.append(position);
+ 			sb.append(".");
+		} else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
+			sb.append("Malicious payload, having non natural depths, parsing stoped on ");
+			sb.append(unexpectedObject);
+			sb.append(" at position ");
+			sb.append(position);
+			sb.append(".");
+ 		} else {
+ 			sb.append("Unkown error at position ");
+ 			sb.append(position);
+diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+new file mode 100644
+index 0000000..18b52e7
+--- /dev/null
+++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+@@ -0,0 +1,27 @@
+package net.minidev.json.test;
+
+import junit.framework.TestCase;
+import net.minidev.json.JSONValue;
+import net.minidev.json.parser.ParseException;
+
+public class TestOverflow extends TestCase {
+	public void testStress() throws Exception {
+		int size = 10000;
+		StringBuilder sb = new StringBuilder(10 + size*4);
+		for (int i=0; i < size; i++) {
+			sb.append("{a:");
+		}
+		sb.append("true");
+		for (int i=0; i < size; i++) {
+			sb.append("}");
+		}
+		String s = sb.toString();
+		try {
+			JSONValue.parseWithException(s);
+		} catch (ParseException e) {
+			assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
+			return;
+		}
+		assertEquals(0,1);
+	}
+}
--- a/json-smart.spec
+++ b/json-smart.spec
@ -1,10 +1,11 @@
 Name:                json-smart
 Version:             2.2
-Release:             1
+Release:             2
 Summary:             A small and very fast json parser/generator for java
 License:             ASL 2.0
 URL:                 https://github.com/netplex/json-smart-v2
 Source0:             https://github.com/netplex/json-smart-v2/archive/%{version}.tar.gz
+Patch0001:           CVE-2023-1370.patch
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:)
 BuildArch:           noarch
@ -17,7 +18,7 @@ Summary:             Javadoc for %{name}
 This package contains javadoc for %{name}.

 %prep
-%setup -q -n %{name}-v2-%{version}
+%autosetup -n %{name}-v2-%{version} -p1
 %pom_remove_dep :json-smart-mini parent
 %pom_remove_plugin :maven-javadoc-plugin parent
 %pom_remove_plugin :maven-source-plugin parent
@ -47,5 +48,8 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 %license LICENSE.txt

 %changelog
+* Tue Apr 04 2023 liyuxiang <liyuxiang@ncti-gba.cn> - 2.2-2
+- fix CVE-2023-1370
+
 * Mon Aug 24 2020 wangchong <wangchong56@huawei.com> - 2.2-1
 - package init