Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918529 (CVE-2023-5072)

Summary: <dev-java/json-20231013: unconstrained memory usage DoS
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/33985
https://github.com/gentoo/gentoo/pull/34733
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 918593    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 16:37:11 UTC 
CVE-2023-5072:

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 

https://github.com/stleary/JSON-java/issues/758
https://github.com/stleary/JSON-java/issues/771

These look fixed in 20231013. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-26 08:53:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e2e4560e1e391e9c24bb6af71aa7897a2f5e2e6

commit 8e2e4560e1e391e9c24bb6af71aa7897a2f5e2e6
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-11-25 17:58:00 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-11-26 08:53:49 +0000

    dev-java/json: add 20231013 - CVE-2023-5072
    
    Bug: https://bugs.gentoo.org/918529
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/33985
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/json/Manifest                             |  4 ++
 .../json/files/json-20231013-JSONObjectTest.patch  | 31 ++++++++++
 dev-java/json/json-20231013.ebuild                 | 69 ++++++++++++++++++++++
 3 files changed, 104 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-11-26 09:45:29 UTC 
Thanks! Please file a stable bug when ready.
Comment 3 Larry the Git Cow gentoo-dev 2024-01-11 09:46:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f47f393de5ff7a14f2fb9074e4ee0f17d41054f2

commit f47f393de5ff7a14f2fb9074e4ee0f17d41054f2
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-01-10 13:40:57 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-01-11 09:46:45 +0000

    dev-java/json: drop 20220320
    
    Bug: https://bugs.gentoo.org/918529
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/34733
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/json/Manifest             |  1 -
 dev-java/json/json-20220320.ebuild | 57 --------------------------------------
 2 files changed, 58 deletions(-)