Resolves: RHEL-113630 - Fix CVE-2025-40928

2025-09-16 12:14:33 +02:00 · 2025-09-16 12:14:33 +02:00 · 7420c1f895
commit 7420c1f895
parent b1f6d059c6
6 changed files with 110 additions and 7 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
+++ b/JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
@ -0,0 +1,40 @@
+Fix for CVE-2025-40928
+
+Fix heap overflow causing crashes, possibly information disclosure or
+worse (CVE-2025-40928), and causes JSON::XS to accept invalid JSON texts
+as valid in some cases.
+
+diff -up JSON-XS-3.04/XS.xs.cve JSON-XS-3.04/XS.xs
+--- JSON-XS-3.04/XS.xs.cve	2017-08-17 03:54:33.000000000 +0200
+++ JSON-XS-3.04/XS.xs	2025-09-15 13:09:42.314411248 +0200
+@@ -247,16 +247,16 @@ json_atof_scan1 (const char *s, NV *accu
+   // if we recurse too deep, skip all remaining digits
+   // to avoid a stack overflow attack
+   if (expect_false (--maxdepth <= 0))
+-    while (((U8)*s - '0') < 10)
+    while (*s >= '0' && *s <= '9')
+       ++s;
+ 
+   for (;;)
+     {
+-      U8 dig = (U8)*s - '0';
+      U8 dig = *s - '0';
+ 
+       if (expect_false (dig >= 10))
+         {
+-          if (dig == (U8)((U8)'.' - (U8)'0'))
+          if (dig == (U8)('.' - '0'))
+             {
+               ++s;
+               json_atof_scan1 (s, accum, expo, 1, maxdepth);
+@@ -276,8 +276,8 @@ json_atof_scan1 (const char *s, NV *accu
+               else if (*s == '+')
+                 ++s;
+ 
+-              while ((dig = (U8)*s - '0') < 10)
+-                exp2 = exp2 * 10 + *s++ - '0';
+              while (*s >= '0' && *s <= '9')
+                exp2 = exp2 * 10 + (*s++ - '0');
+ 
+               *expo += neg ? -exp2 : exp2;
+             }
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+# RHEL
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/perl-JSON-XS.spec
+++ b/perl-JSON-XS.spec
@ -2,11 +2,13 @@ Name:           perl-JSON-XS
 Summary:        JSON serializing/de-serializing, done correctly and fast
 Epoch:          1
 Version:        3.04
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/JSON-XS/
 Source0:        http://www.cpan.org/authors/id/M/ML/MLEHMANN/JSON-XS-%{version}.tar.gz
+# Fix for CVE-2025-40928 in upstream since 4.04
+Patch1:         JSON-XS-3.04-Fix-for-CVE-2025-40928.patch
 # Build
 BuildRequires:  coreutils
 BuildRequires:  gcc
@ -15,6 +17,7 @@ BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
 BuildRequires:  perl(Canary::Stability)
+BuildRequires:  perl(Config)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:  sed
 # Module Runtime
@ -39,40 +42,75 @@ BuildRequires:  perl(warnings)
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))

 %{?perl_default_filter}
-%{?perl_default_subpackage_tests}

 %description
 This module converts Perl data structures to JSON and vice versa. Its
 primary goal is to be correct and its secondary goal is to be fast. To
 reach the latter goal it was written in C.

+%package tests
+Summary:        Tests for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
+Requires:       perl-Test-Harness
+
+%description tests
+Tests from %{name}. Execute them
+with "%{_libexecdir}/%{name}/test".
+
 %prep
 %setup -q -n JSON-XS-%{version}
+%patch -P1 -p1

 sed -i 's/\r//' t/*
-perl -pi -e 's|^#!/opt/bin/perl|#!%{__perl}|' eg/*
+perl -MConfig -pi -e 's|^#!/opt/bin/perl|$Config{startperl}|' eg/*
 chmod -c -x eg/*

+# Help generators to recognize Perl scripts
+for F in t/*.t; do
+    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F"
+    chmod +x "$F"
+done
+
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
 make %{?_smp_mflags}

 %install
 make pure_install DESTDIR=%{buildroot}
+# Install tests
+mkdir -p %{buildroot}%{_libexecdir}/%{name}
+cp -a t %{buildroot}%{_libexecdir}/%{name}
+cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
+#!/bin/sh
+cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
+EOF
+chmod +x %{buildroot}%{_libexecdir}/%{name}/test
+# Correct permissions
 %{_fixperms} -c %{buildroot}

 %check
+export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test

 %files
 %doc Changes README eg/
 %license COPYING
-%{perl_vendorarch}/*
-%exclude %dir %{perl_vendorarch}/auto
-%{_bindir}/*
-%{_mandir}/man[13]/*
+%{_bindir}/json_xs
+%{perl_vendorarch}/auto/JSON/
+%{perl_vendorarch}/JSON/
+%{_mandir}/man1/json_xs.1*
+%{_mandir}/man3/JSON::XS.3*
+%{_mandir}/man3/JSON::XS::Boolean.3*
+
+%files tests
+%{_libexecdir}/%{name}

 %changelog
+* Mon Sep 15 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.04-4
+- Resolves: RHEL-113630 - Fix CVE-2025-40928
+- Package tests
+
 * Wed Feb 21 2018 Paul Howarth <paul@city-fan.org> - 1:3.04-3
 - Specify all dependencies

--- a/plans/sanity.fmf
+++ b/plans/sanity.fmf
@ -0,0 +1,5 @@
+summary: Sanity tests
+discover:
+    how: fmf
+execute:
+    how: tmt
--- a/tests/upstream-tests.fmf
+++ b/tests/upstream-tests.fmf
@ -0,0 +1,12 @@
+summary: Upstream tests
+contact: Jitka Plesnikova <jplesnik@redhat.com>
+component: perl-JSON-XS
+require: perl-JSON-XS-tests
+test: /usr/libexec/perl-JSON-XS/test
+enabled: true
+tag:
+  - rhel-buildroot
+adjust:
+  - enabled: false
+    when: distro < rhel-8 or distro < centos-stream-8
+    continue: false