!37 [sync] PR-33: fix: Handle unbalanced comment string for CVE-2024-47855

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

0001-fix-Handle-unbalanced-comment-string.patch

@@ -0,0 +1,81 @@
+From a0c4a0eae277130e22979cf307c95dec4005a78e Mon Sep 17 00:00:00 2001
+From: Andres Almiray <aalmiray@gmail.com>
+Date: Thu, 26 Sep 2024 17:47:11 -0500
+Subject: [PATCH] fix: Handle unbalanced comment string
+
+---
+ .../src/main/java/net/sf/json/util/JSONTokener.java   |  2 ++
+ .../src/test/java/net/sf/json/TestJSONSerializer.java |  9 +++++++++
+ src/main/java/net/sf/json/util/JSONTokener.java       |  2 ++
+ src/test/java/net/sf/json/TestJSONSerializer.java     |  9 +++++++++
+ 4 files changed, 22 insertions(+)
+
+diff --git a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+index 655cd7c..aad6f3b 100644
+--- a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
++++ b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+@@ -192,6 +192,8 @@ public class JSONTokener {
+                             if (c == '*') {
+                                 if (next() == '/') {
+                                     break;
++                                } else if (!more()) {
++                                    return 0;
+                                 }
+                                 back();
+                             }
+diff --git a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+index 6a15863..d0c9ff4 100644
+--- a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
++++ b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
+         assertEquals(beanB.getValue(), ((ValueBean) bb).getValue());
+     }
+ 
++    public void testToJava_JSONObject_5() throws Exception {
++        try {
++            JSONObject.fromObject("/**");
++            fail("Should have thrown a JSONException");
++        } catch (JSONException expected) {
++            // ok
++        }
++    }
++
+     public void testToJava_JSONObject_and_reset() throws Exception {
+         String json = "{bool:true,integer:1,string:\"json\"}";
+         JSONObject jsonObject = JSONObject.fromObject(json);
+diff --git a/src/main/java/net/sf/json/util/JSONTokener.java b/src/main/java/net/sf/json/util/JSONTokener.java
+index 4f6ff94..0cdde2b 100644
+--- a/src/main/java/net/sf/json/util/JSONTokener.java
++++ b/src/main/java/net/sf/json/util/JSONTokener.java
+@@ -196,6 +196,8 @@ public class JSONTokener {
+                      if( c == '*' ){
+                         if( next() == '/' ){
+                            break;
++                        } else if (!more()){
++                            return 0;
+                         }
+                         back();
+                      }
+diff --git a/src/test/java/net/sf/json/TestJSONSerializer.java b/src/test/java/net/sf/json/TestJSONSerializer.java
+index 7397769..89c145d 100644
+--- a/src/test/java/net/sf/json/TestJSONSerializer.java
++++ b/src/test/java/net/sf/json/TestJSONSerializer.java
+@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
+       assertEquals( beanB.getValue(), ((ValueBean) bb).getValue() );
+    }
+ 
++   public void testToJava_JSONObject_5() throws Exception {
++       try {
++           JSONObject.fromObject("/**");
++           fail("Should have thrown a JSONException");
++       } catch (JSONException expected) {
++           // ok
++       }
++   }
++
+    public void testToJava_JSONObject_and_reset() throws Exception {
+       String json = "{bool:true,integer:1,string:\"json\"}";
+       JSONObject jsonObject = JSONObject.fromObject( json );
+-- 
+2.43.0
+

json-lib.spec

@@ -1,6 +1,6 @@
 Name:           json-lib
 Version:        2.4
-Release:        18
+Release:        23
 Summary:        JSON library for Java
 License:        ASL 2.0
 URL:            http://json-lib.sourceforge.net/
@@ -10,6 +10,8 @@ Source0:        %{name}-%{version}.tar.xz
 Source1:        jenkins-%{name}-%{version}.tar.xz
 Source2:        http://repo.jenkins-ci.org/releases/org/kohsuke/stapler/json-lib/%{version}-jenkins-3/json-lib-%{version}-jenkins-3.pom
 
+Patch1:  0001-fix-Handle-unbalanced-comment-string.patch
+
 BuildRequires:  java-devel maven-local maven-shared maven-surefire-provider-junit
 BuildRequires:  mvn(commons-beanutils:commons-beanutils) mvn(commons-lang:commons-lang)
 BuildRequires:  mvn(commons-collections:commons-collections) mvn(junit:junit) mvn(log4j:log4j)
@@ -41,8 +43,10 @@ Obsoletes:      %{name}-javadoc < %{version}-%{release}
 Help documentation for json-lib package.
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -q %{name}-%{version}
 tar xf %{SOURCE1}
+%patch -P1 -p1
+
 find -name "*.jar" -or -name "*.class" | xargs rm -rf
 
 %pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'org.codehaus.groovy']/pom:artifactId" groovy
@@ -95,6 +99,21 @@ cd -
 %license LICENSE.txt
 
 %changelog
+* Mon Oct 07 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 2.4-23
+- fix: Handle unbalanced comment string for CVE-2024-47855
+
+* Mon Aug 22 2022 wangkai <wangkai385@h-partners.com> - 2.4-22
+- Rebuild for log4j 2.17.2 fix CVE-2021-44832
+
+* Tue May 31 2022 loong_C <loong_c@yeah.net> - 2.4-21
+- update json-lib.spec
+
+* Mon Dec 27 2021 yaoxin <yaoxin30@huawei.com> - 2.4-20
+- This package depends on log4j.After the log4j vulnerability CVE-2021-45105 is fixed,the version needs to be rebuild.
+
+* Mon Dec 20 2021 wangkai <wangkai385@huawei.com> - 2.4-19
+- This package depends on log4j.After the log4j vulnerability CVE-2021-44228 is fixed,the version needs to be rebuild.
+
 * Tue Feb 2 2021 wutao <wutao61@huawei.com> - 2.4-18
 - change depdencies to groovy