dev-libs/json-c: update 0.15

Update json-c to 0.15, to address
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12762 .
This commit is contained in:
Dongsu Park 2020-10-21 14:41:00 +02:00
parent 69e05d7dbc
commit 2fbc9fb0b8
12 changed files with 477 additions and 180 deletions

View File

@ -1,4 +1,2 @@
DIST json-c-0.12.1.tar.gz 535086 BLAKE2B 57e1da29b3326ccad07a60aafbe653a33b1bbbc26d184c916deb4d120b81781ad52d9945ee3cf5f44b112d41b274872ca76b94a05c12ccc003faecbed5fa586f SHA512 038676a0ce815e5174161fbd4339524feadc294d517f732fb408ad6aa7c4906423451c13386107569d9f24746a1a101564ca511e92e8276c5bf5b8c022ca42ed DIST json-c-0.14.tar.gz 321677 BLAKE2B 39325988dd58dad589fc0f036c17b2337c81cf7aab8ecb2232f8d59fef9d38df28e096f8d22320e0003799d477debddc4926eaa7a170954263c6b303c1fa056e SHA512 75537c61d0632a01f94d2394d7a4387ef1eca0b68aa56c495d3d96dd29b38ed20eb0cc3f6e5e24dc6660c8939669f8954005d9c3ba20437f3fcc9f9dd896b00d
DIST json-c-0.12.tar.gz 501419 BLAKE2B 24f035792ff1ba5c39e55bca6ee4ba2509ab71d0374c70b520791f38e1ec4ff2245a282f234fde9f4a02cd9eaaaaa998ce307563a20702c04ee972fdf51f2539 SHA512 c959804362386f6b77e9d04b5fedf6d6aff1fcd0ab50250edb25f759b510b402e7ad4b33d1cbadc3337b63a3145d19f310812a9ee351748348304b384dc2dc35 DIST json-c-0.15.tar.gz 361488 BLAKE2B ae34f6dd45ebee55e6413ecb234e48fa5ae1c17e6fa12462aaaa04e8801457060e176abe90d76d04ad0ee9b903ff467bc3b8ed5816792da175aad8862b9d168e SHA512 dc01298bcc78f0f31a34f5fcfe45c0feebfd88518e97fb4f96f1a652f71ccdd303415a4c7bf5b573bdcbcca80428281f0dfccefc6545ea3a7f18dbb819332f34
DIST json-c-0.13.1.tar.gz 639425 BLAKE2B 1da310309f9ce03306a9fd4a161670e460cf0b2222348df7c006902390f74a4cf100aab1ce6ac8a361a278dd917c114a278de5b3445817f3a40ae287478add46 SHA512 e984db2a42b9c95b52c798b2e8dd1b79951a8dcba27370af30c43b9549fbb00008dbcf052a535c528209aaee38e6d1f760168b706905ae72f3e704ed20f8a1a1
DIST json-c-0.13.tar.gz 634720 BLAKE2B f83876921f94fca1eb0a3473315d4dc75bb52e36499b265dd60e9dfa46d5417a958725aa3a6da3aa50f2a64f2cd5308af2685ca18bb3f5becd464fc570313735 SHA512 7375e1678e40f79298226d070db4ac3dab8a94c9d2438db1bbbcf668284ab30236fc77d841207c25f71cc2cebc596e1b8116d480434d829c8d96007a32ddf636

View File

@ -0,0 +1,56 @@
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ba692ff..fc2edff 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -65,6 +65,7 @@ include(GNUInstallDirs)
include(CMakePackageConfigHelpers)
option(BUILD_SHARED_LIBS "Default to building shared libraries" ON)
+option(BUILD_STATIC_LIBS "Default to building static libraries" OFF)
# Generate a release merge and test it to verify the correctness of republishing the package.
ADD_CUSTOM_TARGET(distcheck
@@ -383,7 +384,7 @@ add_library(${PROJECT_NAME}
set_target_properties(${PROJECT_NAME} PROPERTIES
VERSION 5.0.0
SOVERSION 5)
-
+list(APPEND CMAKE_TARGETS ${PROJECT_NAME})
# If json-c is used as subroject it set to target correct interface -I flags and allow
# to build external target without extra include_directories(...)
target_include_directories(${PROJECT_NAME}
@@ -392,7 +393,33 @@ target_include_directories(${PROJECT_NAME}
$<BUILD_INTERFACE:${PROJECT_BINARY_DIR}>
)
-install(TARGETS ${PROJECT_NAME}
+# Allow to build static and shared libraries at the same time
+if (BUILD_STATIC_LIBS)
+ set(STATIC_LIB ${PROJECT_NAME}-static)
+ add_library(${STATIC_LIB} STATIC
+ ${JSON_C_SOURCES}
+ ${JSON_C_HEADERS}
+ )
+
+ # rename the static library
+ set_target_properties(${STATIC_LIB} PROPERTIES
+ OUTPUT_NAME ${PROJECT_NAME}
+ )
+ list(APPEND CMAKE_TARGETS ${STATIC_LIB})
+endif ()
+
+# Always create new install dirs with 0755 permissions, regardless of umask
+set(CMAKE_INSTALL_DEFAULT_DIRECTORY_PERMISSIONS
+ OWNER_READ
+ OWNER_WRITE
+ OWNER_EXECUTE
+ GROUP_READ
+ GROUP_EXECUTE
+ WORLD_READ
+ WORLD_EXECUTE
+ )
+
+install(TARGETS ${CMAKE_TARGETS}
EXPORT ${PROJECT_NAME}-targets
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,155 @@
From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:41:16 +0200
Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow.
If the assignment of stop overflows due to idx and count being
larger than SIZE_T_MAX in sum, out of boundary access could happen.
It takes invalid usage of this function for this to happen, but
I decided to add this check so array_list_del_idx is as safe against
bad usage as the other arraylist functions.
---
arraylist.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arraylist.c b/arraylist.c
index 12ad8af6d3..e5524aca75 100644
--- a/arraylist.c
+++ b/arraylist.c
@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
{
size_t i, stop;
+ /* Avoid overflow in calculation with large indices. */
+ if (idx > SIZE_T_MAX - count)
+ return -1;
stop = idx + count;
if (idx >= arr->length || stop > arr->length)
return -1;
From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:46:45 +0200
Subject: [PATCH 2/3] Prevent division by zero in linkhash.
If a linkhash with a size of zero is created, then modulo operations
are prone to division by zero operations.
Purely protective measure against bad usage.
---
linkhash.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linkhash.c b/linkhash.c
index 7ea58c0abf..f05cc38030 100644
--- a/linkhash.c
+++ b/linkhash.c
@@ -12,6 +12,7 @@
#include "config.h"
+#include <assert.h>
#include <limits.h>
#include <stdarg.h>
#include <stddef.h>
@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h
int i;
struct lh_table *t;
+ /* Allocate space for elements to avoid divisions by zero. */
+ assert(size > 0);
t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
if (!t)
return NULL;
From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:47:25 +0200
Subject: [PATCH 3/3] Fix integer overflows.
The data structures linkhash and printbuf are limited to 2 GB in size
due to a signed integer being used to track their current size.
If too much data is added, then size variable can overflow, which is
an undefined behaviour in C programming language.
Assuming that a signed int overflow just leads to a negative value,
like it happens on many sytems (Linux i686/amd64 with gcc), then
printbuf is vulnerable to an out of boundary write on 64 bit systems.
---
linkhash.c | 7 +++++--
printbuf.c | 19 ++++++++++++++++---
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/linkhash.c b/linkhash.c
index f05cc38030..51e90b13a2 100644
--- a/linkhash.c
+++ b/linkhash.c
@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con
{
unsigned long n;
- if (t->count >= t->size * LH_LOAD_FACTOR)
- if (lh_table_resize(t, t->size * 2) != 0)
+ if (t->count >= t->size * LH_LOAD_FACTOR) {
+ /* Avoid signed integer overflow with large tables. */
+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX;
+ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0)
return -1;
+ }
n = h % t->size;
diff --git a/printbuf.c b/printbuf.c
index 976c12dde5..00822fac4f 100644
--- a/printbuf.c
+++ b/printbuf.c
@@ -15,6 +15,7 @@
#include "config.h"
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
if (p->size >= min_size)
return 0;
-
- new_size = p->size * 2;
- if (new_size < min_size + 8)
+ /* Prevent signed integer overflows with large buffers. */
+ if (min_size > INT_MAX - 8)
+ return -1;
+ if (p->size > INT_MAX / 2)
new_size = min_size + 8;
+ else {
+ new_size = p->size * 2;
+ if (new_size < min_size + 8)
+ new_size = min_size + 8;
+ }
#ifdef PRINTBUF_DEBUG
MC_DEBUG("printbuf_memappend: realloc "
"bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size)
int printbuf_memappend(struct printbuf *p, const char *buf, int size)
{
+ /* Prevent signed integer overflows with large buffers. */
+ if (size > INT_MAX - p->bpos - 1)
+ return -1;
if (p->size <= p->bpos + size + 1)
{
if (printbuf_extend(p, p->bpos + size + 1) < 0)
@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
if (offset == -1)
offset = pb->bpos;
+ /* Prevent signed integer overflows with large buffers. */
+ if (len > INT_MAX - offset)
+ return -1;
size_needed = offset + len;
if (pb->size < size_needed)
{

View File

@ -1,43 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit autotools multilib-minimal ltprune
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/2"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="doc static-libs"
src_prepare() {
default
sed -i -e "s:-Werror::" Makefile.am.inc || die
eautoreconf
# tests break otherwise
multilib_copy_sources
}
multilib_src_configure() {
ECONF_SOURCE=${S} econf $(use_enable static-libs static)
}
multilib_src_test() {
export USE_VALGRIND=0 VERBOSE=1
default
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${S}"/doc/html/. )
einstalldocs
# add symlink for projects not using pkgconfig
dosym ../json-c /usr/include/json-c/json
prune_libtool_files
}

View File

@ -1,40 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
AUTOTOOLS_AUTORECONF=true
inherit autotools-multilib
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/2"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="doc static-libs"
RDEPEND=""
# tests break otherwise
AUTOTOOLS_IN_SOURCE_BUILD=1
src_prepare() {
sed -i -e "s:-Werror::" Makefile.am.inc || die
autotools-multilib_src_prepare
}
src_test() {
export USE_VALGRIND=0 VERBOSE=1
autotools-multilib_src_test
}
src_install() {
use doc && HTML_DOCS=( "${S}"/doc/html )
autotools-multilib_src_install
# add symlink for projects not using pkgconfig
dosym ../json-c /usr/include/json-c/json
}

View File

@ -1,43 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit autotools multilib-minimal ltprune
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/4"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="doc static-libs"
src_prepare() {
default
sed -i -e "s:-Werror::" configure.ac || die
eautoreconf
# tests break otherwise
multilib_copy_sources
}
multilib_src_configure() {
ECONF_SOURCE=${S} econf $(use_enable static-libs static)
}
multilib_src_test() {
export USE_VALGRIND=0 VERBOSE=1
default
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${S}"/doc/html/. )
einstalldocs
# add symlink for projects not using pkgconfig
dosym ../json-c /usr/include/json-c/json
prune_libtool_files
}

View File

@ -1,43 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit autotools multilib-minimal ltprune
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/3"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="doc static-libs"
src_prepare() {
default
sed -i -e "s:-Werror::" configure.ac || die
eautoreconf
# tests break otherwise
multilib_copy_sources
}
multilib_src_configure() {
ECONF_SOURCE=${S} econf $(use_enable static-libs static)
}
multilib_src_test() {
export USE_VALGRIND=0 VERBOSE=1
default
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${S}"/doc/html/. )
einstalldocs
# add symlink for projects not using pkgconfig
dosym ../json-c /usr/include/json-c/json
prune_libtool_files
}

View File

@ -0,0 +1,55 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
CMAKE_ECLASS=cmake
inherit cmake-multilib
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/5"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="cpu_flags_x86_rdrand doc static-libs threads"
PATCHES=(
"${FILESDIR}/${PN}-0.14-cmake-static-libs.patch"
"${FILESDIR}/${P}-security-fix.patch"
"${FILESDIR}/${PN}-0.14-object-limitation.patch"
)
MULTILIB_WRAPPED_HEADERS=(
/usr/include/json-c/config.h
)
src_prepare() {
cmake_src_prepare
}
multilib_src_configure() {
local mycmakeargs=(
-DBUILD_DOCUMENTATION=$(multilib_native_usex doc)
-DBUILD_STATIC_LIBS=$(usex static-libs)
-DDISABLE_WERROR=ON
-DENABLE_RDRAND=$(usex cpu_flags_x86_rdrand)
-DENABLE_THREADING=$(usex threads)
)
cmake_src_configure
}
multilib_src_compile() {
cmake_src_compile
}
multilib_src_test() {
multilib_is_native_abi && cmake_src_test
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${S}"/doc/html/. )
einstalldocs
}

View File

@ -0,0 +1,50 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CMAKE_ECLASS=cmake
inherit cmake-multilib
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
SRC_URI="https://s3.amazonaws.com/json-c_releases/releases/${P}.tar.gz"
LICENSE="MIT"
SLOT="0/5"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"
IUSE="cpu_flags_x86_rdrand doc static-libs threads"
BDEPEND="doc? ( >=app-doc/doxygen-1.8.13 )"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/json-c/config.h
)
src_prepare() {
cmake_src_prepare
}
multilib_src_configure() {
local mycmakeargs=(
-DBUILD_STATIC_LIBS=$(usex static-libs)
-DDISABLE_WERROR=ON
-DENABLE_RDRAND=$(usex cpu_flags_x86_rdrand)
-DENABLE_THREADING=$(usex threads)
)
cmake_src_configure
}
multilib_src_compile() {
cmake_src_compile
}
multilib_src_test() {
multilib_is_native_abi && cmake_src_test
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${S}"/doc/html/. )
einstalldocs
}

View File

@ -0,0 +1,50 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
CMAKE_ECLASS=cmake
inherit cmake-multilib git-r3
DESCRIPTION="A JSON implementation in C"
HOMEPAGE="https://github.com/json-c/json-c/wiki"
EGIT_REPO_URI="https://github.com/json-c/json-c.git"
LICENSE="MIT"
SLOT="0/5"
IUSE="cpu_flags_x86_rdrand doc static-libs threads"
BDEPEND="doc? ( >=app-doc/doxygen-1.8.13 )"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/json-c/config.h
)
src_prepare() {
cmake_src_prepare
}
multilib_src_configure() {
local mycmakeargs=(
-DDISABLE_WERROR=ON
-DENABLE_THREADING=$(usex threads)
-DENABLE_RDRAND=$(usex cpu_flags_x86_rdrand)
-DBUILD_STATIC_LIBS=$(usex static-libs)
)
cmake_src_configure
}
multilib_src_compile() {
cmake_src_compile
use doc && doxygen doc/Doxyfile
}
multilib_src_test() {
multilib_is_native_abi && cmake_src_test
}
multilib_src_install_all() {
use doc && HTML_DOCS=( "${BUILD_DIR}-abi_x86_64.amd64"/doc/html/. )
einstalldocs
}

View File

@ -2,17 +2,26 @@
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<maintainer type="person"> <maintainer type="person">
<email>hwoarang@gentoo.org</email> <email>jakov.smolic@sartura.hr</email>
<name>Markos Chandras</name> <name>Jakov Smolic</name>
</maintainer>
<maintainer type="person">
<email>luka.perkov@sartura.hr</email>
<name>Luka Perkov</name>
</maintainer>
<maintainer type="project">
<email>proxy-maint@gentoo.org</email>
<name>Proxy Maintainers</name>
</maintainer> </maintainer>
<longdescription lang="en"> <longdescription lang="en">
"A JSON implementation in C" is probably the better description, and then JSON-C is a JSON implementation written in C. It implements a
"JSON-C implements a reference counting object model that allows you to reference counting object model that allows you to easily
easily construct JSON objects in C, output them as JSON formatted construct JSON objects in C, output them as JSON formatted strings
strings and parse JSON formatted strings back into the C and parse JSON formatted strings back into the C representation of
representation of JSON objects. JSON objects.
</longdescription> </longdescription>
<upstream> <upstream>
<remote-id type="github">json-c/json-c</remote-id> <remote-id type="github">json-c/json-c</remote-id>
<remote-id type="cpe">cpe:/a:json-c_project:json-c</remote-id>
</upstream> </upstream>
</pkgmetadata> </pkgmetadata>