Loading pkgs/development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch 0 → 100644 +47 −0 Original line number Diff line number Diff line From 5592bfb58eb8d1c8a644e67c9bba795d1384a995 Mon Sep 17 00:00:00 2001 From: Marc Lehmann <schmorp@schmorp.de> Date: Sat, 6 Sep 2025 11:31:36 +0200 Subject: [PATCH 1/2] fix json_atof_scan1 overflows with fuzzed overlong numbers. CVE-2025-40928 Really the comparisons were wrong. --- XS.xs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/XS.xs b/XS.xs index 9b1ce2b..94ab0d6 100755 --- a/XS.xs +++ b/XS.xs @@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) /* if we recurse too deep, skip all remaining digits */ /* to avoid a stack overflow attack */ if (UNLIKELY(--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while ((U8)(*s - '0') < 10) ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = (U8)(*s - '0'); if (UNLIKELY(dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) + while ((dig = (U8)(*s - '0')) < 10) exp2 = exp2 * 10 + *s++ - '0'; *expo += neg ? -exp2 : exp2; -- 2.50.1 pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch 0 → 100644 +31 −0 Original line number Diff line number Diff line --- a/XS.xs 2025-09-06 08:34:51.376455632 -0300 +++ b/XS.xs 2025-09-06 08:35:30.725873619 -0300 @@ -253,16 +253,16 @@ // if we recurse too deep, skip all remaining digits // to avoid a stack overflow attack if (expect_false (--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while ((U8)(*s - '0') < 10) ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = *s - '0'; if (expect_false (dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -282,7 +282,7 @@ else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) + while ((dig = (U8)(*s - '0')) < 10) exp2 = exp2 * 10 + *s++ - '0'; *expo += neg ? -exp2 : exp2; pkgs/top-level/perl-packages.nix +2 −0 Original line number Diff line number Diff line Loading @@ -6645,6 +6645,7 @@ with self; url = "mirror://cpan/authors/id/R/RU/RURBAN/Cpanel-JSON-XS-4.37.tar.gz"; hash = "sha256-wkFhWg4X/3Raqoa79Gam4pzSQFFeZfBqegUBe2GebUs="; }; patches = [ ../development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch ]; meta = { description = "CPanel fork of JSON::XS, fast and correct serializing"; license = with lib.licenses; [ Loading Loading @@ -18308,6 +18309,7 @@ with self; url = "mirror://cpan/authors/id/M/ML/MLEHMANN/JSON-XS-4.03.tar.gz"; hash = "sha256-UVU29F8voafojIgkUzdY0BIdJnq5y0U6G1iHyKVrkGg="; }; patches = [ ../development/perl-modules/JSON-XS-CVE-2025-40928.patch ]; propagatedBuildInputs = [ TypesSerialiser ]; buildInputs = [ CanaryStability ]; meta = { Loading
pkgs/development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch 0 → 100644 +47 −0 Original line number Diff line number Diff line From 5592bfb58eb8d1c8a644e67c9bba795d1384a995 Mon Sep 17 00:00:00 2001 From: Marc Lehmann <schmorp@schmorp.de> Date: Sat, 6 Sep 2025 11:31:36 +0200 Subject: [PATCH 1/2] fix json_atof_scan1 overflows with fuzzed overlong numbers. CVE-2025-40928 Really the comparisons were wrong. --- XS.xs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/XS.xs b/XS.xs index 9b1ce2b..94ab0d6 100755 --- a/XS.xs +++ b/XS.xs @@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) /* if we recurse too deep, skip all remaining digits */ /* to avoid a stack overflow attack */ if (UNLIKELY(--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while ((U8)(*s - '0') < 10) ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = (U8)(*s - '0'); if (UNLIKELY(dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) + while ((dig = (U8)(*s - '0')) < 10) exp2 = exp2 * 10 + *s++ - '0'; *expo += neg ? -exp2 : exp2; -- 2.50.1
pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch 0 → 100644 +31 −0 Original line number Diff line number Diff line --- a/XS.xs 2025-09-06 08:34:51.376455632 -0300 +++ b/XS.xs 2025-09-06 08:35:30.725873619 -0300 @@ -253,16 +253,16 @@ // if we recurse too deep, skip all remaining digits // to avoid a stack overflow attack if (expect_false (--maxdepth <= 0)) - while (((U8)*s - '0') < 10) + while ((U8)(*s - '0') < 10) ++s; for (;;) { - U8 dig = (U8)*s - '0'; + U8 dig = *s - '0'; if (expect_false (dig >= 10)) { - if (dig == (U8)((U8)'.' - (U8)'0')) + if (dig == (U8)('.' - '0')) { ++s; json_atof_scan1 (s, accum, expo, 1, maxdepth); @@ -282,7 +282,7 @@ else if (*s == '+') ++s; - while ((dig = (U8)*s - '0') < 10) + while ((dig = (U8)(*s - '0')) < 10) exp2 = exp2 * 10 + *s++ - '0'; *expo += neg ? -exp2 : exp2;
pkgs/top-level/perl-packages.nix +2 −0 Original line number Diff line number Diff line Loading @@ -6645,6 +6645,7 @@ with self; url = "mirror://cpan/authors/id/R/RU/RURBAN/Cpanel-JSON-XS-4.37.tar.gz"; hash = "sha256-wkFhWg4X/3Raqoa79Gam4pzSQFFeZfBqegUBe2GebUs="; }; patches = [ ../development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch ]; meta = { description = "CPanel fork of JSON::XS, fast and correct serializing"; license = with lib.licenses; [ Loading Loading @@ -18308,6 +18309,7 @@ with self; url = "mirror://cpan/authors/id/M/ML/MLEHMANN/JSON-XS-4.03.tar.gz"; hash = "sha256-UVU29F8voafojIgkUzdY0BIdJnq5y0U6G1iHyKVrkGg="; }; patches = [ ../development/perl-modules/JSON-XS-CVE-2025-40928.patch ]; propagatedBuildInputs = [ TypesSerialiser ]; buildInputs = [ CanaryStability ]; meta = {
