Update to 2.5.2 for fix CVE-2024-57699

(cherry picked from commit 4182a6bae035a7a453f9e2b7d128e5c1a91dcf30)

CVE-2023-1370.patch

@@ -1,156 +0,0 @@
-From: UrielCh <uriel.chemouni@gmail.com>
-Date: Sun, 5 Mar 2023 13:01:10 +0200
-Subject: CVE-2023-1370: stack overflow due to excessive recursion
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
-parses an array or an object respectively. It was discovered that the
-code does not have any limit to the nesting of such arrays or
-objects. Since the parsing of nested arrays and objects is done
-recursively, nesting too many of them can cause a stack exhaustion
-(stack overflow) and crash the software.
-
-origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
-bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
-bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
----
- .../net/minidev/json/parser/JSONParserBase.java    | 17 +++++++++++++-
- .../net/minidev/json/parser/ParseException.java    |  9 +++++++-
- .../java/net/minidev/json/test/TestOverflow.java   | 27 ++++++++++++++++++++++
- 3 files changed, 51 insertions(+), 2 deletions(-)
- create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-
-diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-index 96d6bb6..f65b8c5 100644
---- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
-+import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
- 
- import java.io.IOException;
- import java.math.BigDecimal;
-@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
-  */
- abstract class JSONParserBase {
- 	protected char c;
-+   	/**
-+	 * hard coded maximal depth for JSON parsing
-+	 */
-+	public final static int MAX_DEPTH = 400;
-+	protected int depth = 0;
-+
- 	JsonReader base;
- 	public final static byte EOI = 0x1A;
- 	protected static final char MAX_STOP = 126; // '}' -> 125
-@@ -232,9 +239,12 @@ abstract class JSONParserBase {
- 	abstract protected void read() throws IOException;
- 
- 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
--		Object current = mapper.createArray();
- 		if (c != '[')
- 			throw new RuntimeException("Internal Error");
-+		if (++this.depth > MAX_DEPTH) {
-+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
-+		}
-+		Object current = mapper.createArray();
- 		read();
- 		boolean needData = false;
- 		//
-@@ -249,6 +259,7 @@ abstract class JSONParserBase {
- 			case ']':
- 				if (needData && !acceptUselessComma)
- 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
-+				this.depth--;
- 				read(); /* unstack */
- 				//
- 				return mapper.convert(current);
-@@ -485,6 +496,9 @@ abstract class JSONParserBase {
- 		//
- 		if (c != '{')
- 			throw new RuntimeException("Internal Error");
-+		if (++this.depth > MAX_DEPTH) {
-+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
-+		}
- 		Object current = mapper.createObject();
- 		boolean needData = false;
- 		boolean acceptData = true;
-@@ -504,6 +518,7 @@ abstract class JSONParserBase {
- 			case '}':
- 				if (needData && !acceptUselessComma)
- 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
-+				this.depth--;
- 				read(); /* unstack */
- 				//
- 				return mapper.convert(current);
-diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-index e652cf2..42f11f2 100644
---- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-+++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-@@ -1,7 +1,7 @@
- package net.minidev.json.parser;
- 
- /*
-- *    Copyright 2011 JSON-SMART authors
-+ *    Copyright 2011-2023 JSON-SMART authors
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -30,6 +30,7 @@ public class ParseException extends Exception {
- 	public static final int ERROR_UNEXPECTED_UNICODE = 4;
- 	public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
- 	public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
-+	public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
- 
- 	private int errorType;
- 	private Object unexpectedObject;
-@@ -114,6 +115,12 @@ public class ParseException extends Exception {
- 			sb.append(" at position ");
- 			sb.append(position);
- 			sb.append(".");
-+		} else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
-+			sb.append("Malicious payload, having non natural depths, parsing stoped on ");
-+			sb.append(unexpectedObject);
-+			sb.append(" at position ");
-+			sb.append(position);
-+			sb.append(".");
- 		} else {
- 			sb.append("Unkown error at position ");
- 			sb.append(position);
-diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-new file mode 100644
-index 0000000..18b52e7
---- /dev/null
-+++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-@@ -0,0 +1,27 @@
-+package net.minidev.json.test;
-+
-+import junit.framework.TestCase;
-+import net.minidev.json.JSONValue;
-+import net.minidev.json.parser.ParseException;
-+
-+public class TestOverflow extends TestCase {
-+	public void testStress() throws Exception {
-+		int size = 10000;
-+		StringBuilder sb = new StringBuilder(10 + size*4);
-+		for (int i=0; i < size; i++) {
-+			sb.append("{a:");
-+		}
-+		sb.append("true");
-+		for (int i=0; i < size; i++) {
-+			sb.append("}");
-+		}
-+		String s = sb.toString();
-+		try {
-+			JSONValue.parseWithException(s);
-+		} catch (ParseException e) {
-+			assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
-+			return;
-+		}
-+		assertEquals(0,1);
-+	}
-+}

json-smart.spec

@@ -1,13 +1,15 @@
 Name:                json-smart
-Version:             2.2
-Release:             2
+Version:             2.5.2
+Release:             1
 Summary:             A small and very fast json parser/generator for java
-License:             ASL 2.0
+License:             Apache-2.0
 URL:                 https://github.com/netplex/json-smart-v2
-Source0:             https://github.com/netplex/json-smart-v2/archive/%{version}.tar.gz
-Patch0001:           CVE-2023-1370.patch
+Source0:             https://github.com/netplex/%{name}-v2/archive/%{version}/%{name}-v2-%{version}.tar.gz
+Source1:             https://repo.maven.apache.org/maven2/net/minidev/minidev-parent/2.4.4/minidev-parent-2.4.4.pom
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:)
+BuildRequires:       mvn(org.apache.maven.plugins:maven-source-plugin)
+BuildRequires:       mvn(org.junit.jupiter:junit-jupiter-api)
 BuildArch:           noarch
 %description
 Json-smart is a performance focused, JSON processor lib.
@@ -19,25 +21,21 @@ This package contains javadoc for %{name}.
 
 %prep
 %autosetup -n %{name}-v2-%{version} -p1
-%pom_remove_dep :json-smart-mini parent
-%pom_remove_plugin :maven-javadoc-plugin parent
-%pom_remove_plugin :maven-source-plugin parent
-%pom_xpath_set "pom:dependency[pom:artifactId='accessors-smart']/pom:version" '${project.version}' parent
+cp %{SOURCE1} ./pom.xml
+%pom_remove_dep :json-smart-mini
+%pom_remove_plugin :maven-javadoc-plugin
+%pom_remove_plugin :maven-source-plugin
 %pom_xpath_set "pom:Bundle-Version" "1.1" accessors-smart
-%pom_xpath_remove "pom:Embed-Dependency" accessors-smart
-%pom_xpath_remove "pom:Embed-Dependency" %{name}
-%pom_xpath_inject "pom:dependency[pom:artifactId='accessors-smart']" "<version>%{version}</version>" %{name}
-%pom_xpath_remove "pom:project/pom:version" accessors-smart
-%pom_xpath_inject "pom:project" "<version>%{version}</version>" accessors-smart
 cp -p %{name}/*.txt .
 %mvn_file :%{name} %{name}
 %mvn_file :accessors-smart accessors-smart
 rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 
 %build
-%mvn_build -- -f parent/pom.xml
+%mvn_build -f 
 
 %install
+
 %mvn_install
 
 %files -f .mfiles
@@ -48,6 +46,12 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 %license LICENSE.txt
 
 %changelog
+* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 2.5.2-1
+- Update to 2.5.2 for fix CVE-2024-57699
+
+* Sun Feb 04 2024 Ge Wang <wang__ge@126.com> - 2.4.8-1
+- update to version 2.4.8
+
 * Tue Apr 04 2023 liyuxiang <liyuxiang@ncti-gba.cn> - 2.2-2
 - fix CVE-2023-1370
 

minidev-parent-2.4.4.pom

@@ -0,0 +1,271 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>net.minidev</groupId>
+	<artifactId>minidev-parent</artifactId>
+	<version>2.4.4</version>
+	<name>Minidev super pom</name>
+	<description>minidev common properties.</description>
+	<packaging>pom</packaging>
+	<url>https://urielch.github.io/</url>
+
+	<organization>
+		<name>Chemouni Uriel</name>
+		<url>https://urielch.github.io/</url>
+	</organization>
+
+	<developers>
+		<developer>
+			<id>uriel</id>
+			<name>Uriel Chemouni</name>
+			<email>uchemouni@gmail.com</email>
+			<timezone>GMT+3</timezone>
+			<roles>
+			</roles>
+		</developer>
+	</developers>
+
+	<licenses>
+		<license>
+			<name>The Apache Software License, Version 2.0</name>
+			<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+			<distribution>repo</distribution>
+			<comments>All files under Apache 2</comments>
+		</license>
+	</licenses>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<maven.compiler.source>1.8</maven.compiler.source>
+		<maven.compiler.target>1.8</maven.compiler.target>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-source-plugin</artifactId>
+				<version>3.2.1</version>
+				<executions>
+					<execution>
+						<id>bind-sources</id>
+						<goals>
+							<goal>jar-no-fork</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.8.1</version>
+				<configuration>
+					<encoding>UTF-8</encoding>
+					<source>${maven.compiler.source}</source>
+					<target>${maven.compiler.target}</target>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-resources-plugin</artifactId>
+				<version>3.2.0</version>
+				<configuration>
+					<encoding>UTF-8</encoding>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<version>3.2.0</version>
+				<configuration>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<version>3.2.0</version>
+				<!-- ONLY NEEDED With jdk 1.7+ -->
+				<configuration>
+					<failOnError>false</failOnError>
+					<!-- <additionalparam>-Xdoclint:none</additionalparam> -->
+				</configuration>
+				<executions>
+					<execution>
+						<id>attach-javadocs</id>
+						<goals>
+							<goal>jar</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+
+	<scm>
+		<connection>scm:git:https://github.com/netplex/json-smart-v2.git</connection>
+		<developerConnection>scm:git:https://github.com/netplex/json-smart-v2.git</developerConnection>
+		<url>https://github.com/netplex/json-smart-v2</url>
+	</scm>
+
+	<reporting>
+		<plugins>
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-checkstyle-plugin</artifactId>
+				<version>3.1.2</version>
+				<configuration>
+					<configLocation>google_checks.xml</configLocation>
+				</configuration>
+			</plugin>
+		</plugins>
+	</reporting>
+
+	<modules>
+		<module>accessors-smart</module>
+		<!-- <module>json-smart-action</module> -->
+		<module>json-smart</module>
+	</modules>
+
+	<distributionManagement>
+		<snapshotRepository>
+			<id>ossrh</id>
+			<url>https://oss.sonatype.org/content/repositories/snapshots</url>
+		</snapshotRepository>
+		<repository>
+			<id>ossrh</id>
+			<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+		</repository>
+	</distributionManagement>
+	<!-- release with: mvn clean deploy -P release-sign-artifacts-->
+	<profiles>
+		<profile>
+			<id>release-sign-artifacts</id>
+			<activation>
+				<property>
+					<!-- will be set by the release plugin upon performing mvn release:perform -->
+					<name>performRelease</name>
+					<value>true</value>
+				</property>
+			</activation>
+			<properties>
+				<!--<gpg.keyname>8E322ED0</gpg.keyname> -->
+				<!-- 2C8DF6EC Loosed Key -->
+				<!-- <gpg.keyname>2C8DF6EC</gpg.keyname> -->
+				<!-- 2021 rsa4096 key-->
+				<gpg.keyname>53BE126D</gpg.keyname>
+				<!-- <gpg.keyname>Uriel Chemouni (dev) <uchemouni@gmail.com></gpg.keyname> -->
+				<!-- GPG Key ID to use for signing -->
+			</properties>
+			<build>
+				<plugins>
+					<!-- Enable signing of the artifacts For gpg:sign-and-deploy-file it's 
+						necessary to have a <server> with the repositoryId provided or id="remote-repository" 
+						defined in settings.xml (it contains the repository's login, psw) Signing: 
+						mvn gpg:sign-and-deploy-file -DpomFile=target/myapp-1.0.pom -Dfile=target/myapp-1.0.jar 
+						-Durl=http://oss.sonatype.org/content/repositories/malyvelky/ -DrepositoryId=sonatype_oss 
+						Note normally it uses the defaul key but we can ovveride it by either setting 
+						the property gpg.keyname (done in this POM) or by providing -Dkeyname=66AE163A 
+						on the command line. OR directly w/ gpg (remove space in - -): gpg -u 66AE163A 
+						- -sign - -detach-sign -a target/dbunit-embeddedderby-parenttest.jar Note: 
+						"mvn gpg:sign" results in NPE with v 1.o-a.-4, use "mvn package gpg:sign" 
+						instead; see the issue MGPG-18 -->
+					<plugin> <!-- updated on 29/07/2015 -->
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-gpg-plugin</artifactId>
+
+						<version>1.6</version>
+						<executions>
+							<execution>
+								<id>sign-artifacts</id>
+								<phase>verify</phase>
+								<goals>
+									<goal>sign</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+					<!-- Publish also javadocs when releasing - required by Sonatype -->
+					<plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-javadoc-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>attach-javadocs</id>
+								<goals>
+									<goal>jar</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+					<!-- Release Plugin (Update version in POM before/after release, create 
+						tag, deploy) to try: mvn release:prepare -DdryRun=true && mvn release:clean 
+						to perform: mvn release:prepare release:perform Read http://nexus.sonatype.org/oss-repository-hosting.html#3 
+						for instructions on releasing to this project's Sonatype repository -->
+					<plugin> <!-- updated on 04/04/2021 -->
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-release-plugin</artifactId>
+						<version>3.0.0-M1</version>
+						<configuration>
+							<mavenExecutorId>forked-path</mavenExecutorId>
+							<arguments>-Psonatype-oss-release</arguments>
+							<autoVersionSubmodules>false</autoVersionSubmodules>
+							<useReleaseProfile>false</useReleaseProfile>
+							<releaseProfiles>release</releaseProfiles>
+							<goals>deploy</goals>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+		<profile>
+			<id>include-sources</id>
+			<build>
+				<resources>
+					<resource>
+						<targetPath>/</targetPath>
+						<filtering>true</filtering>
+						<directory>src/main/java</directory>
+						<includes>
+							<include>**/*.java</include>
+						</includes>
+					</resource>
+				</resources>
+			</build>
+		</profile>
+	</profiles>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart-action</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart-mini</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+    			<groupId>org.junit.jupiter</groupId>
+    			<artifactId>junit-jupiter-api</artifactId>
+    			<version>5.7.1</version>
+    			<scope>test</scope>
+			</dependency>
+			<dependency>
+    			<groupId>org.junit.jupiter</groupId>
+    			<artifactId>junit-jupiter-params</artifactId>
+    			<version>5.7.1</version>
+    			<scope>test</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+</project>