diff --git a/pkgs/development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch b/pkgs/development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch new file mode 100644 index 000000000000..0f76f7313fde --- /dev/null +++ b/pkgs/development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch @@ -0,0 +1,47 @@ +From 5592bfb58eb8d1c8a644e67c9bba795d1384a995 Mon Sep 17 00:00:00 2001 +From: Marc Lehmann +Date: Sat, 6 Sep 2025 11:31:36 +0200 +Subject: [PATCH 1/2] fix json_atof_scan1 overflows + +with fuzzed overlong numbers. CVE-2025-40928 +Really the comparisons were wrong. +--- + XS.xs | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/XS.xs b/XS.xs +index 9b1ce2b..94ab0d6 100755 +--- a/XS.xs ++++ b/XS.xs +@@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) + /* if we recurse too deep, skip all remaining digits */ + /* to avoid a stack overflow attack */ + if (UNLIKELY(--maxdepth <= 0)) +- while (((U8)*s - '0') < 10) ++ while ((U8)(*s - '0') < 10) + ++s; + + for (;;) + { +- U8 dig = (U8)*s - '0'; ++ U8 dig = (U8)(*s - '0'); + + if (UNLIKELY(dig >= 10)) + { +- if (dig == (U8)((U8)'.' - (U8)'0')) ++ if (dig == (U8)('.' - '0')) + { + ++s; + json_atof_scan1 (s, accum, expo, 1, maxdepth); +@@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth) + else if (*s == '+') + ++s; + +- while ((dig = (U8)*s - '0') < 10) ++ while ((dig = (U8)(*s - '0')) < 10) + exp2 = exp2 * 10 + *s++ - '0'; + + *expo += neg ? -exp2 : exp2; +-- +2.50.1 + diff --git a/pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch b/pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch new file mode 100644 index 000000000000..f1d258c12a3d --- /dev/null +++ b/pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch @@ -0,0 +1,31 @@ +--- a/XS.xs 2025-09-06 08:34:51.376455632 -0300 ++++ b/XS.xs 2025-09-06 08:35:30.725873619 -0300 +@@ -253,16 +253,16 @@ + // if we recurse too deep, skip all remaining digits + // to avoid a stack overflow attack + if (expect_false (--maxdepth <= 0)) +- while (((U8)*s - '0') < 10) ++ while ((U8)(*s - '0') < 10) + ++s; + + for (;;) + { +- U8 dig = (U8)*s - '0'; ++ U8 dig = *s - '0'; + + if (expect_false (dig >= 10)) + { +- if (dig == (U8)((U8)'.' - (U8)'0')) ++ if (dig == (U8)('.' - '0')) + { + ++s; + json_atof_scan1 (s, accum, expo, 1, maxdepth); +@@ -282,7 +282,7 @@ + else if (*s == '+') + ++s; + +- while ((dig = (U8)*s - '0') < 10) ++ while ((dig = (U8)(*s - '0')) < 10) + exp2 = exp2 * 10 + *s++ - '0'; + + *expo += neg ? -exp2 : exp2; diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index f2c0c80b136e..65e95e54aefc 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -6645,6 +6645,7 @@ with self; url = "mirror://cpan/authors/id/R/RU/RURBAN/Cpanel-JSON-XS-4.37.tar.gz"; hash = "sha256-wkFhWg4X/3Raqoa79Gam4pzSQFFeZfBqegUBe2GebUs="; }; + patches = [ ../development/perl-modules/Cpanel-JSON-XS-CVE-2025-40929.patch ]; meta = { description = "CPanel fork of JSON::XS, fast and correct serializing"; license = with lib.licenses; [ @@ -18308,6 +18309,7 @@ with self; url = "mirror://cpan/authors/id/M/ML/MLEHMANN/JSON-XS-4.03.tar.gz"; hash = "sha256-UVU29F8voafojIgkUzdY0BIdJnq5y0U6G1iHyKVrkGg="; }; + patches = [ ../development/perl-modules/JSON-XS-CVE-2025-40928.patch ]; propagatedBuildInputs = [ TypesSerialiser ]; buildInputs = [ CanaryStability ]; meta = {