update to version 2.4.8

2024-02-04 11:11:01 +08:00 · 2024-02-04 11:11:01 +08:00 · 9dfea7bfa5
commit 9dfea7bfa5
parent 37baffcd44
5 changed files with 304 additions and 26 deletions
--- a/2.2.tar.gz
+++ b/2.2.tar.gz
--- a/CVE-2023-1370.patch
+++ b/CVE-2023-1370.patch
@ -12,18 +12,20 @@ objects. Since the parsing of nested arrays and objects is done
 recursively, nesting too many of them can cause a stack exhaustion
 (stack overflow) and crash the software.

-origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
-bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+origin:
+https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug:
+https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
 bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
 ---
- .../net/minidev/json/parser/JSONParserBase.java    | 17 +++++++++++++-
- .../net/minidev/json/parser/ParseException.java    |  9 +++++++-
- .../java/net/minidev/json/test/TestOverflow.java   | 27 ++++++++++++++++++++++
+ .../minidev/json/parser/JSONParserBase.java   | 17 +++++++++++-
+ .../minidev/json/parser/ParseException.java   |  9 ++++++-
+ .../net/minidev/json/test/TestOverflow.java   | 27 +++++++++++++++++++
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java

 diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
-index 96d6bb6..f65b8c5 100644
+index 5a0e67f..06f45a3 100644
 --- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
 +++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
@ -38,7 +40,7 @@ index 96d6bb6..f65b8c5 100644
  */
 abstract class JSONParserBase {
 	protected char c;
-+   	/**
+	/**
 +	 * hard coded maximal depth for JSON parsing
 +	 */
 +	public final static int MAX_DEPTH = 400;
@ -47,7 +49,7 @@ index 96d6bb6..f65b8c5 100644
 	JsonReader base;
 	public final static byte EOI = 0x1A;
 	protected static final char MAX_STOP = 126; // '}' -> 125
-@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+@@ -284,9 +291,12 @@ abstract class JSONParserBase {
 	abstract protected void read() throws IOException;
 
 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
@ -60,8 +62,8 @@ index 96d6bb6..f65b8c5 100644
 +		Object current = mapper.createArray();
 		read();
 		boolean needData = false;
- 		//
-@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ 		// special case needData is false and can close is true
+@@ -303,6 +313,7 @@ abstract class JSONParserBase {
 			case ']':
 				if (needData && !acceptUselessComma)
 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
@ -69,7 +71,7 @@ index 96d6bb6..f65b8c5 100644
 				read(); /* unstack */
 				//
 				return mapper.convert(current);
-@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+@@ -539,6 +550,9 @@ abstract class JSONParserBase {
 		//
 		if (c != '{')
 			throw new RuntimeException("Internal Error");
@ -79,7 +81,7 @@ index 96d6bb6..f65b8c5 100644
 		Object current = mapper.createObject();
 		boolean needData = false;
 		boolean acceptData = true;
-@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+@@ -558,6 +572,7 @@ abstract class JSONParserBase {
 			case '}':
 				if (needData && !acceptUselessComma)
 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
@ -88,7 +90,7 @@ index 96d6bb6..f65b8c5 100644
 				//
 				return mapper.convert(current);
 diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
-index e652cf2..42f11f2 100644
+index e9332d9..5f81021 100644
 --- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
 +++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
@@ -1,7 +1,7 @@
@ -154,3 +156,6 @@ index 0000000..18b52e7
 +		assertEquals(0,1);
 +	}
 +}
+-- 
+2.33.0
+
--- a/json-smart-v2-2.4.8.tar.gz
+++ b/json-smart-v2-2.4.8.tar.gz
--- a/json-smart.spec
+++ b/json-smart.spec
@ -1,13 +1,16 @@
 Name:                json-smart
-Version:             2.2
-Release:             2
+Version:             2.4.8
+Release:             1
 Summary:             A small and very fast json parser/generator for java
 License:             ASL 2.0
 URL:                 https://github.com/netplex/json-smart-v2
-Source0:             https://github.com/netplex/json-smart-v2/archive/%{version}.tar.gz
+Source0:             https://github.com/netplex/%{name}-v2/archive/2.4.8/%{name}-v2-%{version}.tar.gz
+Source1:             https://repo.maven.apache.org/maven2/net/minidev/minidev-parent/2.4.4/minidev-parent-2.4.4.pom
 Patch0001:           CVE-2023-1370.patch
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.ow2.asm:asm) mvn(org.sonatype.oss:oss-parent:pom:)
+BuildRequires:       mvn(org.apache.maven.plugins:maven-source-plugin)
+BuildRequires:       mvn(org.junit.jupiter:junit-jupiter-api)
 BuildArch:           noarch
 %description
 Json-smart is a performance focused, JSON processor lib.
@ -19,25 +22,21 @@ This package contains javadoc for %{name}.

 %prep
 %autosetup -n %{name}-v2-%{version} -p1
-%pom_remove_dep :json-smart-mini parent
-%pom_remove_plugin :maven-javadoc-plugin parent
-%pom_remove_plugin :maven-source-plugin parent
-%pom_xpath_set "pom:dependency[pom:artifactId='accessors-smart']/pom:version" '${project.version}' parent
+cp %{SOURCE1} ./pom.xml
+%pom_remove_dep :json-smart-mini
+%pom_remove_plugin :maven-javadoc-plugin
+%pom_remove_plugin :maven-source-plugin
 %pom_xpath_set "pom:Bundle-Version" "1.1" accessors-smart
-%pom_xpath_remove "pom:Embed-Dependency" accessors-smart
-%pom_xpath_remove "pom:Embed-Dependency" %{name}
-%pom_xpath_inject "pom:dependency[pom:artifactId='accessors-smart']" "<version>%{version}</version>" %{name}
-%pom_xpath_remove "pom:project/pom:version" accessors-smart
-%pom_xpath_inject "pom:project" "<version>%{version}</version>" accessors-smart
 cp -p %{name}/*.txt .
 %mvn_file :%{name} %{name}
 %mvn_file :accessors-smart accessors-smart
 rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java

 %build
-%mvn_build -- -f parent/pom.xml
+%mvn_build -f 

 %install
+
 %mvn_install

 %files -f .mfiles
@ -48,6 +47,9 @@ rm accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 %license LICENSE.txt

 %changelog
+* Sun Feb 04 2024 Ge Wang <wang__ge@126.com> - 2.4.8-1
+- update to version 2.4.8
+
 * Tue Apr 04 2023 liyuxiang <liyuxiang@ncti-gba.cn> - 2.2-2
 - fix CVE-2023-1370

--- a/minidev-parent-2.4.4.pom
+++ b/minidev-parent-2.4.4.pom
@ -0,0 +1,271 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>net.minidev</groupId>
+	<artifactId>minidev-parent</artifactId>
+	<version>2.4.4</version>
+	<name>Minidev super pom</name>
+	<description>minidev common properties.</description>
+	<packaging>pom</packaging>
+	<url>https://urielch.github.io/</url>
+
+	<organization>
+		<name>Chemouni Uriel</name>
+		<url>https://urielch.github.io/</url>
+	</organization>
+
+	<developers>
+		<developer>
+			<id>uriel</id>
+			<name>Uriel Chemouni</name>
+			<email>uchemouni@gmail.com</email>
+			<timezone>GMT+3</timezone>
+			<roles>
+			</roles>
+		</developer>
+	</developers>
+
+	<licenses>
+		<license>
+			<name>The Apache Software License, Version 2.0</name>
+			<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+			<distribution>repo</distribution>
+			<comments>All files under Apache 2</comments>
+		</license>
+	</licenses>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<maven.compiler.source>1.8</maven.compiler.source>
+		<maven.compiler.target>1.8</maven.compiler.target>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-source-plugin</artifactId>
+				<version>3.2.1</version>
+				<executions>
+					<execution>
+						<id>bind-sources</id>
+						<goals>
+							<goal>jar-no-fork</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.8.1</version>
+				<configuration>
+					<encoding>UTF-8</encoding>
+					<source>${maven.compiler.source}</source>
+					<target>${maven.compiler.target}</target>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-resources-plugin</artifactId>
+				<version>3.2.0</version>
+				<configuration>
+					<encoding>UTF-8</encoding>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<version>3.2.0</version>
+				<configuration>
+				</configuration>
+			</plugin>
+
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<version>3.2.0</version>
+				<!-- ONLY NEEDED With jdk 1.7+ -->
+				<configuration>
+					<failOnError>false</failOnError>
+					<!-- <additionalparam>-Xdoclint:none</additionalparam> -->
+				</configuration>
+				<executions>
+					<execution>
+						<id>attach-javadocs</id>
+						<goals>
+							<goal>jar</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+
+	<scm>
+		<connection>scm:git:https://github.com/netplex/json-smart-v2.git</connection>
+		<developerConnection>scm:git:https://github.com/netplex/json-smart-v2.git</developerConnection>
+		<url>https://github.com/netplex/json-smart-v2</url>
+	</scm>
+
+	<reporting>
+		<plugins>
+			<plugin> <!-- updated on 04/04/2021 -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-checkstyle-plugin</artifactId>
+				<version>3.1.2</version>
+				<configuration>
+					<configLocation>google_checks.xml</configLocation>
+				</configuration>
+			</plugin>
+		</plugins>
+	</reporting>
+
+	<modules>
+		<module>accessors-smart</module>
+		<!-- <module>json-smart-action</module> -->
+		<module>json-smart</module>
+	</modules>
+
+	<distributionManagement>
+		<snapshotRepository>
+			<id>ossrh</id>
+			<url>https://oss.sonatype.org/content/repositories/snapshots</url>
+		</snapshotRepository>
+		<repository>
+			<id>ossrh</id>
+			<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+		</repository>
+	</distributionManagement>
+	<!-- release with: mvn clean deploy -P release-sign-artifacts-->
+	<profiles>
+		<profile>
+			<id>release-sign-artifacts</id>
+			<activation>
+				<property>
+					<!-- will be set by the release plugin upon performing mvn release:perform -->
+					<name>performRelease</name>
+					<value>true</value>
+				</property>
+			</activation>
+			<properties>
+				<!--<gpg.keyname>8E322ED0</gpg.keyname> -->
+				<!-- 2C8DF6EC Loosed Key -->
+				<!-- <gpg.keyname>2C8DF6EC</gpg.keyname> -->
+				<!-- 2021 rsa4096 key-->
+				<gpg.keyname>53BE126D</gpg.keyname>
+				<!-- <gpg.keyname>Uriel Chemouni (dev) <uchemouni@gmail.com></gpg.keyname> -->
+				<!-- GPG Key ID to use for signing -->
+			</properties>
+			<build>
+				<plugins>
+					<!-- Enable signing of the artifacts For gpg:sign-and-deploy-file it's 
+						necessary to have a <server> with the repositoryId provided or id="remote-repository" 
+						defined in settings.xml (it contains the repository's login, psw) Signing: 
+						mvn gpg:sign-and-deploy-file -DpomFile=target/myapp-1.0.pom -Dfile=target/myapp-1.0.jar 
+						-Durl=http://oss.sonatype.org/content/repositories/malyvelky/ -DrepositoryId=sonatype_oss 
+						Note normally it uses the defaul key but we can ovveride it by either setting 
+						the property gpg.keyname (done in this POM) or by providing -Dkeyname=66AE163A 
+						on the command line. OR directly w/ gpg (remove space in - -): gpg -u 66AE163A 
+						- -sign - -detach-sign -a target/dbunit-embeddedderby-parenttest.jar Note: 
+						"mvn gpg:sign" results in NPE with v 1.o-a.-4, use "mvn package gpg:sign" 
+						instead; see the issue MGPG-18 -->
+					<plugin> <!-- updated on 29/07/2015 -->
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-gpg-plugin</artifactId>
+
+						<version>1.6</version>
+						<executions>
+							<execution>
+								<id>sign-artifacts</id>
+								<phase>verify</phase>
+								<goals>
+									<goal>sign</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+					<!-- Publish also javadocs when releasing - required by Sonatype -->
+					<plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-javadoc-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>attach-javadocs</id>
+								<goals>
+									<goal>jar</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+					<!-- Release Plugin (Update version in POM before/after release, create 
+						tag, deploy) to try: mvn release:prepare -DdryRun=true && mvn release:clean 
+						to perform: mvn release:prepare release:perform Read http://nexus.sonatype.org/oss-repository-hosting.html#3 
+						for instructions on releasing to this project's Sonatype repository -->
+					<plugin> <!-- updated on 04/04/2021 -->
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-release-plugin</artifactId>
+						<version>3.0.0-M1</version>
+						<configuration>
+							<mavenExecutorId>forked-path</mavenExecutorId>
+							<arguments>-Psonatype-oss-release</arguments>
+							<autoVersionSubmodules>false</autoVersionSubmodules>
+							<useReleaseProfile>false</useReleaseProfile>
+							<releaseProfiles>release</releaseProfiles>
+							<goals>deploy</goals>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+		<profile>
+			<id>include-sources</id>
+			<build>
+				<resources>
+					<resource>
+						<targetPath>/</targetPath>
+						<filtering>true</filtering>
+						<directory>src/main/java</directory>
+						<includes>
+							<include>**/*.java</include>
+						</includes>
+					</resource>
+				</resources>
+			</build>
+		</profile>
+	</profiles>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart-action</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart-mini</artifactId>
+				<version>${project.version}</version>
+			</dependency>
+			<dependency>
+    			<groupId>org.junit.jupiter</groupId>
+    			<artifactId>junit-jupiter-api</artifactId>
+    			<version>5.7.1</version>
+    			<scope>test</scope>
+			</dependency>
+			<dependency>
+    			<groupId>org.junit.jupiter</groupId>
+    			<artifactId>junit-jupiter-params</artifactId>
+    			<version>5.7.1</version>
+    			<scope>test</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+</project>