debian/0000755000000000000000000000000011476032530007167 5ustar debian/changelog0000644000000000000000000000467311476032530011053 0ustar python-cjson (1.0.5-4build1) natty; urgency=low * Rebuild to add support for python 2.7. -- Matthias Klose Fri, 03 Dec 2010 00:10:00 +0000 python-cjson (1.0.5-4) unstable; urgency=high * debian/patches: - New patch: 0002-fix-for-CVE-2009-4924 Fixing a xss vulnerability by handling ['/'] arguments to cjson.encode properly. Closes: #593302, Fixes: CVE-2009-2924 -- Bernd Zeimetz Mon, 06 Sep 2010 22:14:36 +0200 python-cjson (1.0.5-3) unstable; urgency=high [ Christian Kastner ] * debian/source/format - Convert to format 3.0 (quilt) * debian/patches: - New patch 0001-fix-for-CVE-2010-1666 Matt Giuca discovered a buffer overflow when encoding wide unicode characters on UCS4 builds. This fix was taken from Ubuntu LP #585274, which he provided. Closes: #587700, Fixes: CVE-2010-1666 -- Debian Python Modules Team Tue, 06 Jul 2010 23:22:56 +0200 python-cjson (1.0.5-2) unstable; urgency=low [ Bernd Zeimetz ] * debian/control: - Changing the priority of the -dbg package to extra - Adding Homepage field, removing pseudo-field from description - Adding Vcs-Svn and Vcs-Browser fields - Updating my email address - Bumping Standards-Version to 3.8.2, no changes needed. - Remove cdbs Build-dep, bump required debhelper version. - Fix several spelling errors in the descriptions - Move the -dbg package into section debug. - Add an extra ~ to the python-all-dev build-dep to make lintian happy. - Enhance the long description of the -dbg package. * debian/rules: - Replace cdbs weirdness by dh. * debian/pycompat: - Drop file, not needed. * debian/python-cjson.install: - Change to install non -dbg files only. * debian/python-cjson-dbg.install: - Install dbg extensions. * debian/copyright: - Update the licensing of the debian packaging to 2009. [ Sandro Tosi ] * debian/control - uniforming Vcs-Browser field * debian/control - switch Vcs-Browser field to viewsvn -- Bernd Zeimetz Mon, 27 Jul 2009 22:55:53 +0200 python-cjson (1.0.5-1) unstable; urgency=low * New upstream version -- Bernd Zeimetz Fri, 24 Aug 2007 16:12:17 +0200 python-cjson (1.0.4-1) unstable; urgency=low * Initial release (Closes: #420606) -- Bernd Zeimetz Wed, 15 Aug 2007 00:35:27 +0200 debian/rules0000755000000000000000000000043311364562202010247 0ustar #!/usr/bin/make -f PACKAGE=python-cjson %: dh $@ override_dh_installdocs: dh_installdocs rm -rf debian/$(PACKAGE)-dbg/usr/share/doc/$(PACKAGE)-dbg ln -s $(PACKAGE) debian/$(PACKAGE)-dbg/usr/share/doc/$(PACKAGE)-dbg override_dh_strip: dh_strip --dbg-package=$(PACKAGE)-dbg debian/control0000644000000000000000000000461411233411333010570 0ustar Source: python-cjson Section: python Priority: optional Maintainer: Debian Python Modules Team Uploaders: Bernd Zeimetz , Dan Pascu Build-Depends: debhelper (>= 7.3.5), python-all-dev (>= 2.4.4-1~), python-all-dbg, python-support (>= 0.7.1) Standards-Version: 3.8.2 Homepage: http://cheeseshop.python.org/pypi/python-cjson Vcs-Svn: svn://svn.debian.org/python-modules/packages/python-cjson/trunk/ Vcs-Browser: http://svn.debian.org/viewsvn/python-modules/packages/python-cjson/trunk/ Package: python-cjson Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends} Suggests: python-cjson-dbg Description: Very fast JSON encoder/decoder for Python JSON stands for JavaScript Object Notation and is a text based lightweight data exchange format which is easy for humans to read/write and for machines to parse/generate. JSON is completely language independent and has multiple implementations in most of the programming languages, making it ideal for data exchange and storage. . The module is written in C and it is up to 250 times faster when compared to the other Python JSON implementations which are written directly in Python. This speed gain varies with the complexity of the data and the operation and is the range of 10-200 times for encoding operations and in the range of 100-250 times for decoding operations. Package: python-cjson-dbg Architecture: any Priority: extra Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, python-cjson (= ${binary:Version}), python-dbg Section: debug Description: Very fast JSON encoder/decoder for Python (debug extension) JSON stands for JavaScript Object Notation and is a text based lightweight data exchange format which is easy for humans to read/write and for machines to parse/generate. JSON is completely language independent and has multiple implementations in most of the programming languages, making it ideal for data exchange and storage. . The module is written in C and it is up to 250 times faster when compared to the other Python JSON implementations which are written directly in Python. This speed gain varies with the complexity of the data and the operation and is the range of 10-200 times for encoding operations and in the range of 100-250 times for decoding operations. . This package contains the debug extensions and symbols. debian/python-cjson.install0000644000000000000000000000014311233405775013216 0ustar debian/tmp/usr/lib/python*/*-packages/cjson.so debian/tmp/usr/lib/python*/*-packages/python_cjson* debian/docs0000644000000000000000000000000710731756333010046 0ustar README debian/pyversions0000644000000000000000000000000511233403360011320 0ustar 2.4- debian/copyright0000644000000000000000000000500611233412112011110 0ustar This package was debianized by Bernd Zeimetz on Wed, 15 Aug 2007 00:35:27 +0200. It was downloaded from http://cheeseshop.python.org/pypi/python-cjson Upstream Author: Dan Pascu Copyright: Copyright (C) 2006-2007 Dan Pascu License: This package is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU Lesser General Public License, version 2, can be found in `/usr/share/common-licenses/LGPL-2'. The Debian packaging is Copyright (C) 2007-2009, Bernd Zeimetz and is licensed under the LGPL, either version 2 of the License, or (at your option) any later version - see above. Files with different licenses/copyrights: * jsontest.py: this test suite is an almost verbatim copy of the jsontest.py test suite found in json-py available from http://sourceforge.net/projects/json-py/ Copyright (C) 2005 Patrick D. Logan This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian systems, the complete text of the GNU Lesser General Public License, version 2.1, can be found in `/usr/share/common-licenses/LGPL-2.1'. debian/python-cjson-dbg.install0000644000000000000000000000006111233407246013742 0ustar debian/tmp/usr/lib/python*/*-packages/cjson_d.so debian/source/0000755000000000000000000000000011453124612010465 5ustar debian/source/format0000644000000000000000000000001411414722036011674 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000035610731756333010233 0ustar # Compulsory line, this is a version 3 file version=3 opts="filenamemangle=s/.*\/([^#]*)#.*/$1/" \ http://cheeseshop.python.org/pypi/python-cjson http://pypi\.python\.org/packages/source/p/python-cjson/python-cjson-(.*)\.tar\.gz#md5=.* debian/compat0000644000000000000000000000000210731756333010374 0ustar 5 debian/patches/0000755000000000000000000000000011453124612010614 5ustar debian/patches/series0000644000000000000000000000006611441236506012036 0ustar 0001-fix-for-CVE-2010-1666 0002-fix-for-CVE-2009-4924 debian/patches/0001-fix-for-CVE-2010-16660000644000000000000000000000675011414722036014073 0ustar Author: Matt Giuca Date: Tue, 06 Jul 2010 23:31:15 +0200 Subject: [PATCH] Fix for CVE-2010-1666 Matt Giuca discovered a potential buffer overflow in python-cjson. It has been assigned CVE-2010-1666. This patch is taken from the patch submitted and applied to Ubuntu's version of python-cjson. Origin: other, https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274 Bug-Debian: http://bugs.debian.org/587700 Forwarded: yes Last-Update: 2010-10-07 Index: python-cjson-1.0.5-new/cjson.c =================================================================== --- python-cjson-1.0.5-new.orig/cjson.c 2010-07-06 23:29:27.898903297 +0200 +++ python-cjson-1.0.5-new/cjson.c 2010-07-06 23:29:41.901838748 +0200 @@ -613,6 +613,25 @@ char *p; static const char *hexdigit = "0123456789abcdef"; +#ifdef Py_UNICODE_WIDE + const Py_ssize_t expandsize = 10; +#else + const Py_ssize_t expandsize = 6; +#endif + + /* Initial allocation is based on the longest-possible unichr + escape. + + In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source + unichr, so in this case it's the longest unichr escape. In + narrow (UTF-16) builds this is five chars per source unichr + since there are two unichrs in the surrogate pair, so in narrow + (UTF-16) builds it's not the longest unichr escape. + + In wide or narrow builds '\uxxxx' is 6 chars per source unichr, + so in the narrow (UTF-16) build case it's the longest unichr + escape. + */ s = PyUnicode_AS_UNICODE(unicode); size = PyUnicode_GET_SIZE(unicode); @@ -623,7 +642,7 @@ return NULL; } - repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1); + repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1); if (repr == NULL) return NULL; @@ -644,15 +663,6 @@ #ifdef Py_UNICODE_WIDE /* Map 21-bit characters to '\U00xxxxxx' */ else if (ch >= 0x10000) { - int offset = p - PyString_AS_STRING(repr); - - /* Resize the string if necessary */ - if (offset + 12 > PyString_GET_SIZE(repr)) { - if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100)) - return NULL; - p = PyString_AS_STRING(repr) + offset; - } - *p++ = '\\'; *p++ = 'U'; *p++ = hexdigit[(ch >> 28) & 0x0000000F]; Index: python-cjson-1.0.5-new/jsontest.py =================================================================== --- python-cjson-1.0.5-new.orig/jsontest.py 2010-07-06 23:29:27.965871886 +0200 +++ python-cjson-1.0.5-new/jsontest.py 2010-07-06 23:29:41.901838748 +0200 @@ -316,6 +316,18 @@ def testWriteLong(self): self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890)) + + def testWriteLongUnicode(self): + # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds. + # The string length is only resized for wide unicode characters if + # there is less than 12 bytes of space left. Padding with + # narrow-but-escaped characters prevents string resizing. + # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes + # undetected. + s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E' + u'\u1234\u1234\u1234\u1234\u1234\u1234') + self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e' + r'\u1234\u1234\u1234\u1234\u1234\u1234"', s) def main(): unittest.main() debian/patches/0002-fix-for-CVE-2009-49240000644000000000000000000000206411441236343014077 0ustar diff -r 026bff5ea1ed -r 88b854ad1437 cjson.c --- a/cjson.c Tue Jul 27 19:54:30 2010 +0200 +++ b/cjson.c Tue Jul 27 20:35:58 2010 +0200 @@ -570,6 +570,8 @@ *p++ = '\\', *p++ = c; else if (c == '\t') *p++ = '\\', *p++ = 't'; + else if (c == '/') + *p++ = '\\', *p++ = '/'; else if (c == '\n') *p++ = '\\', *p++ = 'n'; else if (c == '\r') diff -r 026bff5ea1ed -r 88b854ad1437 jsontest.py --- a/jsontest.py Tue Jul 27 19:54:30 2010 +0200 +++ b/jsontest.py Tue Jul 27 20:35:58 2010 +0200 @@ -89,12 +89,7 @@ def testWriteEscapedSolidus(self): s = cjson.encode(r'/') - #self.assertEqual(r'"\/"', _removeWhitespace(s)) - self.assertEqual('"/"', _removeWhitespace(s)) - - def testWriteNonEscapedSolidus(self): - s = cjson.encode(r'/') - self.assertEqual(r'"/"', _removeWhitespace(s)) + self.assertEqual(r'"\/"', _removeWhitespace(s)) def testWriteEscapedReverseSolidus(self): s = cjson.encode("\\")