fix: Handle unbalanced comment string for CVE-2024-47855

(cherry picked from commit c91893096b399ea51baa610a91ff208695679f98)
2024-10-07 14:03:37 +08:00 · 2024-10-07 14:03:37 +08:00 · bb7b944dce
commit bb7b944dce
parent ff97f9fef0
2 changed files with 90 additions and 2 deletions
--- a/0001-fix-Handle-unbalanced-comment-string.patch
+++ b/0001-fix-Handle-unbalanced-comment-string.patch
@ -0,0 +1,81 @@
+From a0c4a0eae277130e22979cf307c95dec4005a78e Mon Sep 17 00:00:00 2001
+From: Andres Almiray <aalmiray@gmail.com>
+Date: Thu, 26 Sep 2024 17:47:11 -0500
+Subject: [PATCH] fix: Handle unbalanced comment string
+
+---
+ .../src/main/java/net/sf/json/util/JSONTokener.java   |  2 ++
+ .../src/test/java/net/sf/json/TestJSONSerializer.java |  9 +++++++++
+ src/main/java/net/sf/json/util/JSONTokener.java       |  2 ++
+ src/test/java/net/sf/json/TestJSONSerializer.java     |  9 +++++++++
+ 4 files changed, 22 insertions(+)
+
+diff --git a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+index 655cd7c..aad6f3b 100644
+--- a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+++ b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+@@ -192,6 +192,8 @@ public class JSONTokener {
+                             if (c == '*') {
+                                 if (next() == '/') {
+                                     break;
+                                } else if (!more()) {
+                                    return 0;
+                                 }
+                                 back();
+                             }
+diff --git a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+index 6a15863..d0c9ff4 100644
+--- a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+++ b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
+         assertEquals(beanB.getValue(), ((ValueBean) bb).getValue());
+     }
+ 
+    public void testToJava_JSONObject_5() throws Exception {
+        try {
+            JSONObject.fromObject("/**");
+            fail("Should have thrown a JSONException");
+        } catch (JSONException expected) {
+            // ok
+        }
+    }
+
+     public void testToJava_JSONObject_and_reset() throws Exception {
+         String json = "{bool:true,integer:1,string:\"json\"}";
+         JSONObject jsonObject = JSONObject.fromObject(json);
+diff --git a/src/main/java/net/sf/json/util/JSONTokener.java b/src/main/java/net/sf/json/util/JSONTokener.java
+index 4f6ff94..0cdde2b 100644
+--- a/src/main/java/net/sf/json/util/JSONTokener.java
+++ b/src/main/java/net/sf/json/util/JSONTokener.java
+@@ -196,6 +196,8 @@ public class JSONTokener {
+                      if( c == '*' ){
+                         if( next() == '/' ){
+                            break;
+                        } else if (!more()){
+                            return 0;
+                         }
+                         back();
+                      }
+diff --git a/src/test/java/net/sf/json/TestJSONSerializer.java b/src/test/java/net/sf/json/TestJSONSerializer.java
+index 7397769..89c145d 100644
+--- a/src/test/java/net/sf/json/TestJSONSerializer.java
+++ b/src/test/java/net/sf/json/TestJSONSerializer.java
+@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
+       assertEquals( beanB.getValue(), ((ValueBean) bb).getValue() );
+    }
+ 
+   public void testToJava_JSONObject_5() throws Exception {
+       try {
+           JSONObject.fromObject("/**");
+           fail("Should have thrown a JSONException");
+       } catch (JSONException expected) {
+           // ok
+       }
+   }
+
+    public void testToJava_JSONObject_and_reset() throws Exception {
+       String json = "{bool:true,integer:1,string:\"json\"}";
+       JSONObject jsonObject = JSONObject.fromObject( json );
+-- 
+2.43.0
+
--- a/json-lib.spec
+++ b/json-lib.spec
@ -1,6 +1,6 @@
 Name:           json-lib
 Version:        2.4
-Release:        22
+Release:        23
 Summary:        JSON library for Java
 License:        ASL 2.0
 URL:            http://json-lib.sourceforge.net/
@ -10,6 +10,8 @@ Source0:        %{name}-%{version}.tar.xz
 Source1:        jenkins-%{name}-%{version}.tar.xz
 Source2:        http://repo.jenkins-ci.org/releases/org/kohsuke/stapler/json-lib/%{version}-jenkins-3/json-lib-%{version}-jenkins-3.pom

+Patch1:  0001-fix-Handle-unbalanced-comment-string.patch
+
 BuildRequires:  java-devel maven-local maven-shared maven-surefire-provider-junit
 BuildRequires:  mvn(commons-beanutils:commons-beanutils) mvn(commons-lang:commons-lang)
 BuildRequires:  mvn(commons-collections:commons-collections) mvn(junit:junit) mvn(log4j:log4j)
@ -41,8 +43,10 @@ Obsoletes:      %{name}-javadoc < %{version}-%{release}
 Help documentation for json-lib package.

 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -q %{name}-%{version}
 tar xf %{SOURCE1}
+%patch -P1 -p1
+
 find -name "*.jar" -or -name "*.class" | xargs rm -rf

 %pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'org.codehaus.groovy']/pom:artifactId" groovy
@ -95,6 +99,9 @@ cd -
 %license LICENSE.txt

 %changelog
+* Mon Oct 07 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 2.4-23
+- fix: Handle unbalanced comment string for CVE-2024-47855
+
 * Mon Aug 22 2022 wangkai <wangkai385@h-partners.com> - 2.4-22
 - Rebuild for log4j 2.17.2 fix CVE-2021-44832