Version in base suite: 4.030-2 Base version: libjson-xs-perl_4.030-2 Target version: libjson-xs-perl_4.040-1~deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libj/libjson-xs-perl/libjson-xs-perl_4.030-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libj/libjson-xs-perl/libjson-xs-perl_4.040-1~deb13u1.dsc Changes | 13 +++++++++++++ META.json | 5 +++-- META.yml | 5 +++-- README | 12 ++++++------ XS.pm | 16 ++++++++-------- XS.xs | 14 +++++++------- debian/changelog | 23 +++++++++++++++++++++++ debian/patches/fix-spelling.patch | 19 ------------------- debian/patches/series | 1 - 9 files changed, 63 insertions(+), 45 deletions(-) diff -Nru libjson-xs-perl-4.030/Changes libjson-xs-perl-4.040/Changes --- libjson-xs-perl-4.030/Changes 2020-10-27 18:05:18.000000000 +0000 +++ libjson-xs-perl-4.040/Changes 2025-09-08 12:51:12.000000000 +0000 @@ -6,6 +6,19 @@ TODO: investigate magic (Eric Brine) TODO: [PATCH] Types::Serialiser: Inline true(), false() and error() functions TODO: replace bool_stash by BOOL_STASH seems to work with mod_perl, make a compile time option? +TODO: https://github.com/ulfjack/ryu https://lemire.me/blog/2020/03/10/fast-float-parsing-in-practice/ / https://github.com/lemire/fast_double_parser + +TODO: validate_utf8, apparewntly some people confuse themselves. +TODO: security considerations +TODO: perl 5.36 has builtin::true/false/is_bool. Not sure how to integrate those. + +4.04 Fri 05 Sep 2025 23:59:48 CEST + - fix heap overflow causing crashes, possibly information + disclosure or worse (CVE-2025-40928), and causes JSON::XS to + accept invalid JSON texts as valid in some cases. Thanks to + Michael Hudak for finding this, the CPAN Security Group for + coordinating this, and Reini Urban for double-checking the patch + (and Peter Juhasz for potentially reporting this much earlier). 4.03 Tue Oct 27 19:05:01 CET 2020 - when parsing comments in relaxed mode, JSON::XS would detect garbage diff -Nru libjson-xs-perl-4.030/META.json libjson-xs-perl-4.040/META.json --- libjson-xs-perl-4.030/META.json 2020-10-27 18:05:48.000000000 +0000 +++ libjson-xs-perl-4.040/META.json 2025-09-08 12:51:31.000000000 +0000 @@ -4,7 +4,7 @@ "unknown" ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150001", + "generated_by" : "ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010", "license" : [ "unknown" ], @@ -39,5 +39,6 @@ } }, "release_status" : "stable", - "version" : "4.03" + "version" : "4.04", + "x_serialization_backend" : "JSON::PP version 2.27300" } diff -Nru libjson-xs-perl-4.030/META.yml libjson-xs-perl-4.040/META.yml --- libjson-xs-perl-4.030/META.yml 2020-10-27 18:05:48.000000000 +0000 +++ libjson-xs-perl-4.040/META.yml 2025-09-08 12:51:31.000000000 +0000 @@ -8,7 +8,7 @@ Canary::Stability: '0' ExtUtils::MakeMaker: '6.52' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150001' +generated_by: 'ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010' license: unknown meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -21,4 +21,5 @@ requires: Types::Serialiser: '0' common::sense: '0' -version: '4.03' +version: '4.04' +x_serialization_backend: 'CPAN::Meta::YAML version 0.012' diff -Nru libjson-xs-perl-4.030/README libjson-xs-perl-4.040/README --- libjson-xs-perl-4.030/README 2020-10-27 18:05:49.000000000 +0000 +++ libjson-xs-perl-4.040/README 2025-09-08 12:51:31.000000000 +0000 @@ -374,7 +374,7 @@ $json = $json->allow_nonref ([$enable]) $enabled = $json->get_allow_nonref - Unlike other boolean options, this opotion is enabled by default + Unlike other boolean options, this option is enabled by default beginning with version 4.0. See "SECURITY CONSIDERATIONS" for the gory details. @@ -745,7 +745,7 @@ [, - In reality, hopwever, the parser might continue to read data until a + In reality, however, the parser might continue to read data until a length limit is exceeded or it finds a closing bracket. EXAMPLES @@ -1089,7 +1089,7 @@ encoded into JSON. This scalar replaces the object in the JSON text. For example, the following "TO_JSON" method will convert all URI - objects to JSON strings when serialised. The fatc that these values + objects to JSON strings when serialised. The fact that these values originally were URI objects is lost. sub URI::TO_JSON { @@ -1492,7 +1492,7 @@ $json_coder = JSON::XS->new->allow_nonref (0) This is a somewhat unhappy situation, and the blame can fully be put on - JSON's inmventor, Douglas Crockford, who unilaterally changed the format + JSON's inventor, Douglas Crockford, who unilaterally changed the format in 2006 without consulting the IETF, forcing the IETF to either fork the format or go with it (as I was told, the IETF wasn't amused). @@ -1548,7 +1548,7 @@ INTEROPERABILITY WITH OTHER MODULES "JSON::XS" uses the Types::Serialiser module to provide boolean constants. That means that the JSON true and false values will be - comaptible to true and false values of other modules that do the same, + compatible to true and false values of other modules that do the same, such as JSON::PP and CBOR::XS. INTEROPERABILITY WITH OTHER JSON DECODERS @@ -1570,7 +1570,7 @@ TAGGED VALUE SYNTAX AND STANDARD JSON EN/DECODERS When you use "allow_tags" to use the extended (and also nonstandard and invalid) JSON syntax for serialised objects, and you still want to - decode the generated When you want to serialise objects, you can run a + decode the generated text with a standard JSON decoder, you can run a regex to replace the tagged syntax by standard JSON arrays (it only works for "normal" package names without comma, newlines or single colons). First, the readable Perl version: diff -Nru libjson-xs-perl-4.030/XS.pm libjson-xs-perl-4.040/XS.pm --- libjson-xs-perl-4.030/XS.pm 2020-10-27 18:05:46.000000000 +0000 +++ libjson-xs-perl-4.040/XS.pm 2025-09-08 11:53:46.000000000 +0000 @@ -89,7 +89,7 @@ use common::sense; -our $VERSION = '4.03'; +our $VERSION = '4.04'; our @ISA = qw(Exporter); our @EXPORT = qw(encode_json decode_json); @@ -431,7 +431,7 @@ =item $enabled = $json->get_allow_nonref -Unlike other boolean options, this opotion is enabled by default beginning +Unlike other boolean options, this option is enabled by default beginning with version C<4.0>. See L for the gory details. If C<$enable> is true (or missing), then the C method can convert a @@ -823,7 +823,7 @@ [, -In reality, hopwever, the parser might continue to read data until a +In reality, however, the parser might continue to read data until a length limit is exceeded or it finds a closing bracket. =head2 EXAMPLES @@ -1195,7 +1195,7 @@ JSON. This scalar replaces the object in the JSON text. For example, the following C method will convert all L -objects to JSON strings when serialised. The fatc that these values +objects to JSON strings when serialised. The fact that these values originally were L objects is lost. sub URI::TO_JSON { @@ -1618,7 +1618,7 @@ $json_coder = JSON::XS->new->allow_nonref (0) This is a somewhat unhappy situation, and the blame can fully be put on -JSON's inmventor, Douglas Crockford, who unilaterally changed the format +JSON's inventor, Douglas Crockford, who unilaterally changed the format in 2006 without consulting the IETF, forcing the IETF to either fork the format or go with it (as I was told, the IETF wasn't amused). @@ -1680,7 +1680,7 @@ C uses the L module to provide boolean constants. That means that the JSON true and false values will be -comaptible to true and false values of other modules that do the same, +compatible to true and false values of other modules that do the same, such as L and L. @@ -1705,8 +1705,8 @@ When you use C to use the extended (and also nonstandard and invalid) JSON syntax for serialised objects, and you still want to decode -the generated When you want to serialise objects, you can run a regex -to replace the tagged syntax by standard JSON arrays (it only works for +the generated text with a standard JSON decoder, you can run a regex to +replace the tagged syntax by standard JSON arrays (it only works for "normal" package names without comma, newlines or single colons). First, the readable Perl version: diff -Nru libjson-xs-perl-4.030/XS.xs libjson-xs-perl-4.040/XS.xs --- libjson-xs-perl-4.030/XS.xs 2020-10-27 18:03:21.000000000 +0000 +++ libjson-xs-perl-4.040/XS.xs 2025-09-06 11:57:10.000000000 +0000 @@ -253,16 +253,16 @@ // if we recurse too deep, skip all remaining digits // to avoid a stack overflow attack if (expect_false (--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while (*s >= '0' && *s <= '9') ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = *s - '0'; if (expect_false (dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -282,8 +282,8 @@ else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) - exp2 = exp2 * 10 + *s++ - '0'; + while (*s >= '0' && *s <= '9') + exp2 = exp2 * 10 + (*s++ - '0'); *expo += neg ? -exp2 : exp2; } @@ -920,7 +920,7 @@ { // optimise the "small number case" // code will likely be branchless and use only a single multiplication - // works for numbers up to 59074 + // 4.28 works for numbers up to 59074 I32 i = SvIVX (sv); U32 u; char digit, nz = 0; @@ -928,7 +928,7 @@ need (enc, 6); *enc->cur = '-'; enc->cur += i < 0 ? 1 : 0; - u = i < 0 ? -i : i; + u = i < 0 ? -i : i; // not undefined due to range check above // convert to 4.28 fixed-point representation u = u * ((0xfffffff + 10000) / 10000); // 10**5, 5 fractional digits diff -Nru libjson-xs-perl-4.030/debian/changelog libjson-xs-perl-4.040/debian/changelog --- libjson-xs-perl-4.030/debian/changelog 2022-08-28 13:33:48.000000000 +0000 +++ libjson-xs-perl-4.040/debian/changelog 2025-09-08 20:18:43.000000000 +0000 @@ -1,3 +1,26 @@ +libjson-xs-perl (4.040-1~deb13u1) trixie-security; urgency=high + + * Rebuild for trixie-security + + -- Salvatore Bonaccorso Mon, 08 Sep 2025 22:18:43 +0200 + +libjson-xs-perl (4.040-1) unstable; urgency=medium + + * Team upload. + * Import upstream version 4.040. + - Fix json_atof_scan1 overflows (CVE-2025-40928) + * Drop initial patch for CVE-2025-40928 in favour of upstream changes + * Drop patches applied upstream + + -- Salvatore Bonaccorso Mon, 08 Sep 2025 20:19:17 +0200 + +libjson-xs-perl (4.030-3) unstable; urgency=medium + + * Team upload. + * Fix json_atof_scan1 overflows (CVE-2025-40928) + + -- Salvatore Bonaccorso Mon, 08 Sep 2025 17:34:12 +0200 + libjson-xs-perl (4.030-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru libjson-xs-perl-4.030/debian/patches/fix-spelling.patch libjson-xs-perl-4.040/debian/patches/fix-spelling.patch --- libjson-xs-perl-4.030/debian/patches/fix-spelling.patch 2022-08-28 13:33:48.000000000 +0000 +++ libjson-xs-perl-4.040/debian/patches/fix-spelling.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -Description: fix spelling -Origin: vendor -Bug: https://rt.cpan.org/Ticket/Display.html?id=117976 -Forwarded: https://rt.cpan.org/Ticket/Display.html?id=117976 -Author: Nuno Carvalho -Reviewed-by: gregor herrmann -Last-Update: 2018-11-26 - ---- a/XS.pm -+++ b/XS.pm -@@ -1680,7 +1680,7 @@ - - C uses the L module to provide boolean - constants. That means that the JSON true and false values will be --comaptible to true and false values of other modules that do the same, -+compatible to true and false values of other modules that do the same, - such as L and L. - - diff -Nru libjson-xs-perl-4.030/debian/patches/series libjson-xs-perl-4.040/debian/patches/series --- libjson-xs-perl-4.030/debian/patches/series 2022-08-28 13:33:48.000000000 +0000 +++ libjson-xs-perl-4.040/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -fix-spelling.patch