From 7420c1f8957c46b066429d7b66e46fdd615b11e1 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Tue, 16 Sep 2025 12:14:33 +0200
Subject: [PATCH] Resolves: RHEL-113630 - Fix CVE-2025-40928

---
 .fmf/version                              |  1 +
 JSON-XS-3.04-Fix-for-CVE-2025-40928.patch | 40 +++++++++++++++++
 gating.yaml                               |  7 +++
 perl-JSON-XS.spec                         | 52 ++++++++++++++++++++---
 plans/sanity.fmf                          |  5 +++
 tests/upstream-tests.fmf                  | 12 ++++++
 6 files changed, 110 insertions(+), 7 deletions(-)
 create mode 100644 .fmf/version
 create mode 100644 JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
 create mode 100644 gating.yaml
 create mode 100644 plans/sanity.fmf
 create mode 100644 tests/upstream-tests.fmf

diff --git a/.fmf/version b/.fmf/version
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/.fmf/version
@@ -0,0 +1 @@
+1
diff --git a/JSON-XS-3.04-Fix-for-CVE-2025-40928.patch b/JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
new file mode 100644
index 0000000..23b8ef2
--- /dev/null
+++ b/JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
@@ -0,0 +1,40 @@
+Fix for CVE-2025-40928
+
+Fix heap overflow causing crashes, possibly information disclosure or
+worse (CVE-2025-40928), and causes JSON::XS to accept invalid JSON texts
+as valid in some cases.
+
+diff -up JSON-XS-3.04/XS.xs.cve JSON-XS-3.04/XS.xs
+--- JSON-XS-3.04/XS.xs.cve	2017-08-17 03:54:33.000000000 +0200
++++ JSON-XS-3.04/XS.xs	2025-09-15 13:09:42.314411248 +0200
+@@ -247,16 +247,16 @@ json_atof_scan1 (const char *s, NV *accu
+   // if we recurse too deep, skip all remaining digits
+   // to avoid a stack overflow attack
+   if (expect_false (--maxdepth <= 0))
+-    while (((U8)*s - '0') < 10)
++    while (*s >= '0' && *s <= '9')
+       ++s;
+ 
+   for (;;)
+     {
+-      U8 dig = (U8)*s - '0';
++      U8 dig = *s - '0';
+ 
+       if (expect_false (dig >= 10))
+         {
+-          if (dig == (U8)((U8)'.' - (U8)'0'))
++          if (dig == (U8)('.' - '0'))
+             {
+               ++s;
+               json_atof_scan1 (s, accum, expo, 1, maxdepth);
+@@ -276,8 +276,8 @@ json_atof_scan1 (const char *s, NV *accu
+               else if (*s == '+')
+                 ++s;
+ 
+-              while ((dig = (U8)*s - '0') < 10)
+-                exp2 = exp2 * 10 + *s++ - '0';
++              while (*s >= '0' && *s <= '9')
++                exp2 = exp2 * 10 + (*s++ - '0');
+ 
+               *expo += neg ? -exp2 : exp2;
+             }
diff --git a/gating.yaml b/gating.yaml
new file mode 100644
index 0000000..a546b79
--- /dev/null
+++ b/gating.yaml
@@ -0,0 +1,7 @@
+# RHEL
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
diff --git a/perl-JSON-XS.spec b/perl-JSON-XS.spec
index ce7248c..a8feb89 100644
--- a/perl-JSON-XS.spec
+++ b/perl-JSON-XS.spec
@@ -2,11 +2,13 @@ Name:           perl-JSON-XS
 Summary:        JSON serializing/de-serializing, done correctly and fast
 Epoch:          1
 Version:        3.04
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/JSON-XS/
 Source0:        http://www.cpan.org/authors/id/M/ML/MLEHMANN/JSON-XS-%{version}.tar.gz
+# Fix for CVE-2025-40928 in upstream since 4.04
+Patch1:         JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
 # Build
 BuildRequires:  coreutils
 BuildRequires:  gcc
@@ -15,6 +17,7 @@ BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
 BuildRequires:  perl(Canary::Stability)
+BuildRequires:  perl(Config)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:  sed
 # Module Runtime
@@ -39,40 +42,75 @@ BuildRequires:  perl(warnings)
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
 %{?perl_default_filter}
-%{?perl_default_subpackage_tests}
 
 %description
 This module converts Perl data structures to JSON and vice versa. Its
 primary goal is to be correct and its secondary goal is to be fast. To
 reach the latter goal it was written in C.
 
+%package tests
+Summary:        Tests for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
+Requires:       perl-Test-Harness
+
+%description tests
+Tests from %{name}. Execute them
+with "%{_libexecdir}/%{name}/test".
+
 %prep
 %setup -q -n JSON-XS-%{version}
+%patch -P1 -p1
 
 sed -i 's/\r//' t/*
-perl -pi -e 's|^#!/opt/bin/perl|#!%{__perl}|' eg/*
+perl -MConfig -pi -e 's|^#!/opt/bin/perl|$Config{startperl}|' eg/*
 chmod -c -x eg/*
 
+# Help generators to recognize Perl scripts
+for F in t/*.t; do
+    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F"
+    chmod +x "$F"
+done
+
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
 make %{?_smp_mflags}
 
 %install
 make pure_install DESTDIR=%{buildroot}
+# Install tests
+mkdir -p %{buildroot}%{_libexecdir}/%{name}
+cp -a t %{buildroot}%{_libexecdir}/%{name}
+cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
+#!/bin/sh
+cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
+EOF
+chmod +x %{buildroot}%{_libexecdir}/%{name}/test
+# Correct permissions
 %{_fixperms} -c %{buildroot}
 
 %check
+export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test
 
 %files
 %doc Changes README eg/
 %license COPYING
-%{perl_vendorarch}/*
-%exclude %dir %{perl_vendorarch}/auto
-%{_bindir}/*
-%{_mandir}/man[13]/*
+%{_bindir}/json_xs
+%{perl_vendorarch}/auto/JSON/
+%{perl_vendorarch}/JSON/
+%{_mandir}/man1/json_xs.1*
+%{_mandir}/man3/JSON::XS.3*
+%{_mandir}/man3/JSON::XS::Boolean.3*
+
+%files tests
+%{_libexecdir}/%{name}
 
 %changelog
+* Mon Sep 15 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.04-4
+- Resolves: RHEL-113630 - Fix CVE-2025-40928
+- Package tests
+
 * Wed Feb 21 2018 Paul Howarth <paul@city-fan.org> - 1:3.04-3
 - Specify all dependencies
 
diff --git a/plans/sanity.fmf b/plans/sanity.fmf
new file mode 100644
index 0000000..a72ded4
--- /dev/null
+++ b/plans/sanity.fmf
@@ -0,0 +1,5 @@
+summary: Sanity tests
+discover:
+    how: fmf
+execute:
+    how: tmt
diff --git a/tests/upstream-tests.fmf b/tests/upstream-tests.fmf
new file mode 100644
index 0000000..54598cc
--- /dev/null
+++ b/tests/upstream-tests.fmf
@@ -0,0 +1,12 @@
+summary: Upstream tests
+contact: Jitka Plesnikova <jplesnik@redhat.com>
+component: perl-JSON-XS
+require: perl-JSON-XS-tests
+test: /usr/libexec/perl-JSON-XS/test
+enabled: true
+tag:
+  - rhel-buildroot
+adjust:
+  - enabled: false
+    when: distro < rhel-8 or distro < centos-stream-8
+    continue: false