CVE-2023-5072: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. https://github.com/stleary/JSON-java/issues/758 https://github.com/stleary/JSON-java/issues/771 These look fixed in 20231013. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e2e4560e1e391e9c24bb6af71aa7897a2f5e2e6 commit 8e2e4560e1e391e9c24bb6af71aa7897a2f5e2e6 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-11-25 17:58:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-11-26 08:53:49 +0000 dev-java/json: add 20231013 - CVE-2023-5072 Bug: https://bugs.gentoo.org/918529 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/33985 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/json/Manifest | 4 ++ .../json/files/json-20231013-JSONObjectTest.patch | 31 ++++++++++ dev-java/json/json-20231013.ebuild | 69 ++++++++++++++++++++++ 3 files changed, 104 insertions(+)
Thanks! Please file a stable bug when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f47f393de5ff7a14f2fb9074e4ee0f17d41054f2 commit f47f393de5ff7a14f2fb9074e4ee0f17d41054f2 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-01-10 13:40:57 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-01-11 09:46:45 +0000 dev-java/json: drop 20220320 Bug: https://bugs.gentoo.org/918529 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/34733 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/json/Manifest | 1 - dev-java/json/json-20220320.ebuild | 57 -------------------------------------- 2 files changed, 58 deletions(-)
