947204 – (CVE-2023-1370) <dev-java/json-smart-2.5.1: possible stack overflow

Bug 947204 (CVE-2023-1370) - <dev-java/json-smart-2.5.1: possible stack overflow

Summary: <dev-java/json-smart-2.5.1: possible stack overflow

Status:	CONFIRMED

Alias:	CVE-2023-1370

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://research.jfrog.com/vulnerabil...
Whiteboard:	B3 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2024-12-30 08:08 UTC by Volkmar W. Pogatzki
Modified:	2025-01-17 10:52 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkmar W. Pogatzki 2024-12-30 08:08:10 UTC

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Comment 1 Hans de Graaff gentoo-dev

2025-01-17 10:52:12 UTC

As far as I can tell from the sparse information json-smart v1 does not look affected.

Upstream fix commit: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a