Version in base suite: 2.2-2

Base version: json-smart_2.2-2
Target version: json-smart_2.2-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/json-smart/json-smart_2.2-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/j/json-smart/json-smart_2.2-2+deb11u1.dsc

 changelog                                                               |   25 +
 patches/0004-CVE-2021-31684-Fix-indexOf.patch                           |   27 +
 patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch |  156 ++++++++++
 patches/01-bundle-dependencies.patch                                    |   15 
 patches/02-ignore-failing-tests.patch                                   |   16 -
 patches/series                                                          |    2 
 6 files changed, 234 insertions(+), 7 deletions(-)

diff -Nru json-smart-2.2/debian/changelog json-smart-2.2/debian/changelog
--- json-smart-2.2/debian/changelog	2017-10-16 13:52:50.000000000 +0000
+++ json-smart-2.2/debian/changelog	2024-04-26 10:27:32.000000000 +0000
@@ -1,3 +1,28 @@
+json-smart (2.2-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bullseye.  (Closes: #1039985)
+
+ -- Andreas Beckmann <anbe@debian.org>  Fri, 26 Apr 2024 12:27:32 +0200
+
+json-smart (2.2-2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * CVE-2023-1370: stack overflow due to excessive recursion
+    When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+    parses an array or an object respectively. It was discovered that the
+    code does not have any limit to the nesting of such arrays or
+    objects. Since the parsing of nested arrays and objects is done
+    recursively, nesting too many of them can cause a stack exhaustion
+    (stack overflow) and crash the software. (Closes: #1033474)
+  * CVE-2021-31684: Fix indexOf
+    A vulnerability was discovered in the indexOf function of
+    JSONParserByteArray in JSON Smart versions 1.3 and 2.4
+    which causes a denial of service (DOS)
+    via a crafted web request.
+
+ -- Bastien Roucariès <rouca@debian.org>  Wed, 29 Mar 2023 22:21:33 +0000
+
 json-smart (2.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru json-smart-2.2/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch json-smart-2.2/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
--- json-smart-2.2/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch	1970-01-01 00:00:00.000000000 +0000
+++ json-smart-2.2/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch	2024-04-26 10:27:32.000000000 +0000
@@ -0,0 +1,27 @@
+From: HAPPY <pcy190@126.com>
+Date: Fri, 16 Apr 2021 11:22:47 +0800
+Subject: CVE-2021-31684: Fix indexOf
+
+A vulnerability was discovered in the indexOf function of JSONParserByteArray
+in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS)
+via a crafted web request.
+
+origin: https://github.com/netplex/json-smart-v2/commit/6ecff1c2974eaaab2e74e441bdf5ba8495227bf5.patch
+bug: https://github.com/netplex/json-smart-v2/issues/67
+---
+ .../src/main/java/net/minidev/json/parser/JSONParserByteArray.java      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
+index 1849116..605d007 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java
+@@ -75,7 +75,7 @@ class JSONParserByteArray extends JSONParserMemory {
+ 	}
+ 
+ 	protected int indexOf(char c, int pos) {
+-		for (int i = pos; pos < len; i++)
++		for (int i = pos; i < len; i++)
+ 			if (in[i] == (byte) c)
+ 				return i;
+ 		return -1;
diff -Nru json-smart-2.2/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch json-smart-2.2/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch
--- json-smart-2.2/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch	1970-01-01 00:00:00.000000000 +0000
+++ json-smart-2.2/debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch	2024-04-26 10:27:32.000000000 +0000
@@ -0,0 +1,156 @@
+From: UrielCh <uriel.chemouni@gmail.com>
+Date: Sun, 5 Mar 2023 13:01:10 +0200
+Subject: CVE-2023-1370: stack overflow due to excessive recursion
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software.
+
+origin: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a.patch
+bug: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
+---
+ .../net/minidev/json/parser/JSONParserBase.java    | 17 +++++++++++++-
+ .../net/minidev/json/parser/ParseException.java    |  9 +++++++-
+ .../java/net/minidev/json/test/TestOverflow.java   | 27 ++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+index 96d6bb6..f65b8c5 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+@@ -20,6 +20,7 @@ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_EOF;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_LEADING_0;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_TOKEN;
+ import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_UNICODE;
++import static net.minidev.json.parser.ParseException.ERROR_UNEXPECTED_JSON_DEPTH;
+ 
+ import java.io.IOException;
+ import java.math.BigDecimal;
+@@ -39,6 +40,12 @@ import net.minidev.json.writer.JsonReaderI;
+  */
+ abstract class JSONParserBase {
+ 	protected char c;
++   	/**
++	 * hard coded maximal depth for JSON parsing
++	 */
++	public final static int MAX_DEPTH = 400;
++	protected int depth = 0;
++
+ 	JsonReader base;
+ 	public final static byte EOI = 0x1A;
+ 	protected static final char MAX_STOP = 126; // '}' -> 125
+@@ -232,9 +239,12 @@ abstract class JSONParserBase {
+ 	abstract protected void read() throws IOException;
+ 
+ 	protected <T> T readArray(JsonReaderI<T> mapper) throws ParseException, IOException {
+-		Object current = mapper.createArray();
+ 		if (c != '[')
+ 			throw new RuntimeException("Internal Error");
++		if (++this.depth > MAX_DEPTH) {
++			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++		}
++		Object current = mapper.createArray();
+ 		read();
+ 		boolean needData = false;
+ 		//
+@@ -249,6 +259,7 @@ abstract class JSONParserBase {
+ 			case ']':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+@@ -485,6 +496,9 @@ abstract class JSONParserBase {
+ 		//
+ 		if (c != '{')
+ 			throw new RuntimeException("Internal Error");
++		if (++this.depth > MAX_DEPTH) {
++			throw new ParseException(pos, ERROR_UNEXPECTED_JSON_DEPTH, c);
++		}
+ 		Object current = mapper.createObject();
+ 		boolean needData = false;
+ 		boolean acceptData = true;
+@@ -504,6 +518,7 @@ abstract class JSONParserBase {
+ 			case '}':
+ 				if (needData && !acceptUselessComma)
+ 					throw new ParseException(pos, ERROR_UNEXPECTED_CHAR, (char) c);
++				this.depth--;
+ 				read(); /* unstack */
+ 				//
+ 				return mapper.convert(current);
+diff --git a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+index e652cf2..42f11f2 100644
+--- a/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
++++ b/json-smart/src/main/java/net/minidev/json/parser/ParseException.java
+@@ -1,7 +1,7 @@
+ package net.minidev.json.parser;
+ 
+ /*
+- *    Copyright 2011 JSON-SMART authors
++ *    Copyright 2011-2023 JSON-SMART authors
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -30,6 +30,7 @@ public class ParseException extends Exception {
+ 	public static final int ERROR_UNEXPECTED_UNICODE = 4;
+ 	public static final int ERROR_UNEXPECTED_DUPLICATE_KEY = 5;
+ 	public static final int ERROR_UNEXPECTED_LEADING_0 = 6;
++	public static final int ERROR_UNEXPECTED_JSON_DEPTH = 7;
+ 
+ 	private int errorType;
+ 	private Object unexpectedObject;
+@@ -114,6 +115,12 @@ public class ParseException extends Exception {
+ 			sb.append(" at position ");
+ 			sb.append(position);
+ 			sb.append(".");
++		} else if (errorType == ERROR_UNEXPECTED_JSON_DEPTH) {
++			sb.append("Malicious payload, having non natural depths, parsing stoped on ");
++			sb.append(unexpectedObject);
++			sb.append(" at position ");
++			sb.append(position);
++			sb.append(".");
+ 		} else {
+ 			sb.append("Unkown error at position ");
+ 			sb.append(position);
+diff --git a/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+new file mode 100644
+index 0000000..18b52e7
+--- /dev/null
++++ b/json-smart/src/test/java/net/minidev/json/test/TestOverflow.java
+@@ -0,0 +1,27 @@
++package net.minidev.json.test;
++
++import junit.framework.TestCase;
++import net.minidev.json.JSONValue;
++import net.minidev.json.parser.ParseException;
++
++public class TestOverflow extends TestCase {
++	public void testStress() throws Exception {
++		int size = 10000;
++		StringBuilder sb = new StringBuilder(10 + size*4);
++		for (int i=0; i < size; i++) {
++			sb.append("{a:");
++		}
++		sb.append("true");
++		for (int i=0; i < size; i++) {
++			sb.append("}");
++		}
++		String s = sb.toString();
++		try {
++			JSONValue.parseWithException(s);
++		} catch (ParseException e) {
++			assertEquals(e.getErrorType(), ParseException.ERROR_UNEXPECTED_JSON_DEPTH);
++			return;
++		}
++		assertEquals(0,1);
++	}
++}
diff -Nru json-smart-2.2/debian/patches/01-bundle-dependencies.patch json-smart-2.2/debian/patches/01-bundle-dependencies.patch
--- json-smart-2.2/debian/patches/01-bundle-dependencies.patch	2017-10-16 13:52:50.000000000 +0000
+++ json-smart-2.2/debian/patches/01-bundle-dependencies.patch	2024-04-26 10:27:32.000000000 +0000
@@ -1,7 +1,16 @@
-Description: Set the version and the type of the accessors-smart dependency
- to work around a build failure with maven-debian-helper
-Author: Emmanuel Bourg <ebourg@apache.org>
+From: Emmanuel Bourg <ebourg@apache.org>
+Date: Wed, 29 Mar 2023 21:54:56 +0000
+Subject: Set the version and the type of the accessors-smart dependency
+
 Forwarded: not-needed
+
+to work around a build failure with maven-debian-helper
+---
+ json-smart/pom.xml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/json-smart/pom.xml b/json-smart/pom.xml
+index 33a7dc7..494f327 100644
 --- a/json-smart/pom.xml
 +++ b/json-smart/pom.xml
 @@ -32,6 +32,8 @@
diff -Nru json-smart-2.2/debian/patches/02-ignore-failing-tests.patch json-smart-2.2/debian/patches/02-ignore-failing-tests.patch
--- json-smart-2.2/debian/patches/02-ignore-failing-tests.patch	2017-10-16 13:52:50.000000000 +0000
+++ json-smart-2.2/debian/patches/02-ignore-failing-tests.patch	2024-04-26 10:27:32.000000000 +0000
@@ -1,9 +1,17 @@
-Description: Ignore TestDateConvert due to timezone dependent tests
-Author: Emmanuel Bourg <ebourg@apache.org>
+From: Emmanuel Bourg <ebourg@apache.org>
+Date: Wed, 29 Mar 2023 21:54:56 +0000
+Subject: Ignore TestDateConvert due to timezone dependent tests
+
 Bug: https://github.com/netplex/json-smart-v2/issues/29
+---
+ .../src/test/java/net/minidev/asm/TestDateConvert.java       | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java b/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
+index af34745..01a1552 100644
 --- a/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
 +++ b/accessors-smart/src/test/java/net/minidev/asm/TestDateConvert.java
-@@ -11,7 +11,7 @@
+@@ -11,7 +11,7 @@ import junit.framework.TestCase;
  public class TestDateConvert extends TestCase {
  	SimpleDateFormat sdf = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
  
@@ -12,7 +20,7 @@
  		String expectedDateText = "23/01/2012 13:42:12";
  		ArrayList<String> tests = new ArrayList<String>();
  		tests.add("23 janvier 2012 13:42:12");
-@@ -35,23 +35,23 @@
+@@ -35,23 +35,23 @@ public class TestDateConvert extends TestCase {
  		ConvertDate.convertToDate(testDate);
  	}
  
diff -Nru json-smart-2.2/debian/patches/series json-smart-2.2/debian/patches/series
--- json-smart-2.2/debian/patches/series	2017-10-16 13:52:50.000000000 +0000
+++ json-smart-2.2/debian/patches/series	2024-04-26 10:27:32.000000000 +0000
@@ -1,3 +1,5 @@
 01-bundle-dependencies.patch
 02-ignore-failing-tests.patch
 maven-bundle-plugin-failok.patch
+0004-CVE-2021-31684-Fix-indexOf.patch
+0005-CVE-2023-1370-stack-overflow-due-to-excessive-recurs.patch