Update to 2.5.2 for fix CVE-2024-57699

(cherry picked from commit 227451f233c5a0f372943e639ef3a6767db189d2)

CVE-2023-1370.patch

@@ -1,161 +0,0 @@
-From: UrielCh <uriel.chemouni@gmail.com>
-Date: Sun, 5 Mar 2023 13:01:10 +0200
-Subject: CVE-2023-1370: stack overflow due to excessive recursion
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
-parses an array or an object respectively. It was discovered that the
-code does not have any limit to the nesting of such arrays or
-objects. Since the parsing of nested arrays and objects is done
-recursively, nesting too many of them can cause a stack exhaustion
-(stack overflow) and crash the software.
-
-origin:
-https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
-bug:
-https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
-bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
----
- .../minidev/json/parser/JSONParserBase.java   | 17 +++++++++++-
- .../minidev/json/parser/ParseException.java   |  9 ++++++-
- .../net/minidev/json/test/TestOverflow.java   | 27 +++++++++++++++++++
- 3 files changed, 51 insertions(+), 2 deletions(-)
- create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-
-diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-index 5a0e67f..06f45a3 100644
---- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
- import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
-+import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
- 
- import java.io.IOException;
- import java.math.BigDecimal;
-@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
-  */
- abstract class JSONParserBase {
- 	protected char c;
-+	/**
-+	 * hard coded maximal depth for JSON parsing
-+	 */
-+	public final static int MAX_DEPTH = 400;
-+	protected int depth = 0;
-+
- 	JsonReader base;
- 	public final static byte EOI = 0x1A;
- 	protected static final char MAX_STOP = 126; // '}' -> 125
-@@ -284,9 +291,12 @@ abstract class JSONParserBase {
- 	abstract protected void read() throws IOException;
- 
- 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
--		Object current = mapper.createArray();
- 		if (c != '[')
- 			throw new RuntimeException("Internal Error");
-+		if (++this.depth > MAX_DEPTH) {
-+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
-+		}
-+		Object current = mapper.createArray();
- 		read();
- 		boolean needData = false;
- 		// special case needData is false and can close is true
-@@ -303,6 +313,7 @@ abstract class JSONParserBase {
- 			case ']':
- 				if (needData && !acceptUselessComma)
- 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
-+				this.depth--;
- 				read(); /* unstack */
- 				//
- 				return mapper.convert(current);
-@@ -539,6 +550,9 @@ abstract class JSONParserBase {
- 		//
- 		if (c != '{')
- 			throw new RuntimeException("Internal Error");
-+		if (++this.depth > MAX_DEPTH) {
-+			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
-+		}
- 		Object current = mapper.createObject();
- 		boolean needData = false;
- 		boolean acceptData = true;
-@@ -558,6 +572,7 @@ abstract class JSONParserBase {
- 			case '}':
- 				if (needData && !acceptUselessComma)
- 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
-+				this.depth--;
- 				read(); /* unstack */
- 				//
- 				return mapper.convert(current);
-diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-index e9332d9..5f81021 100644
---- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-+++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-@@ -1,7 +1,7 @@
- package net.minidev.json.parser;
- 
- /*
-- *    Copyright 2011 JSON-SMART authors
-+ *    Copyright 2011-2023 JSON-SMART authors
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -30,6 +30,7 @@ public class ParseException extends Exception {
- 	public static final int ERROR_UNEXPECTED_UNICODE = 4;
- 	public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
- 	public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
-+	public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
- 
- 	private int errorType;
- 	private Object unexpectedObject;
-@@ -114,6 +115,12 @@ public class ParseException extends Exception {
- 			sb.append(" at position ");
- 			sb.append(position);
- 			sb.append(".");
-+		} else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
-+			sb.append("Malicious payload, having non natural depths, parsing stoped on ");
-+			sb.append(unexpectedObject);
-+			sb.append(" at position ");
-+			sb.append(position);
-+			sb.append(".");
- 		} else {
- 			sb.append("Unkown error at position ");
- 			sb.append(position);
-diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-new file mode 100644
-index 0000000..18b52e7
---- /dev/null
-+++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
-@@ -0,0 +1,27 @@
-+package net.minidev.json.test;
-+
-+import junit.framework.TestCase;
-+import net.minidev.json.JSONValue;
-+import net.minidev.json.parser.ParseException;
-+
-+public class TestOverflow extends TestCase {
-+	public void testStress() throws Exception {
-+		int size = 10000;
-+		StringBuilder sb = new StringBuilder(10 + size*4);
-+		for (int i=0; i < size; i++) {
-+			sb.append("{a:");
-+		}
-+		sb.append("true");
-+		for (int i=0; i < size; i++) {
-+			sb.append("}");
-+		}
-+		String s = sb.toString();
-+		try {
-+			JSONValue.parseWithException(s);
-+		} catch (ParseException e) {
-+			assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
-+			return;
-+		}
-+		assertEquals(0,1);
-+	}
-+}
--- 
-2.33.0
-

json-smart.spec

@@ -1,12 +1,11 @@
 Name:                json-smart
-Version:             2.4.8
+Version:             2.5.2
 Release:             1
 Summary:             A small and very fast json parser/generator for java
-License:             ASL 2.0
+License:             Apache-2.0
 URL:                 https://github.com/netplex/json-smart-v2
-Source0:             https://github.com/netplex/%{name}-v2/archive/2.4.8/%{name}-v2-%{version}.tar.gz
+Source0:             https://github.com/netplex/%{name}-v2/archive/%{version}/%{name}-v2-%{version}.tar.gz
 Source1:             https://repo.maven.apache.org/maven2/net/minidev/minidev-parent/2.4.4/minidev-parent-2.4.4.pom
-Patch0001:           CVE-2023-1370.patch
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:)
 BuildRequires:       mvn(org.apache.maven.plugins:maven-source-plugin)
@@ -47,6 +46,9 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 %license LICENSE.txt
 
 %changelog
+* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 2.5.2-1
+- Update to 2.5.2 for fix CVE-2024-57699
+
 * Sun Feb 04 2024 Ge Wang <wang__ge@126.com> - 2.4.8-1
 - update to version 2.4.8