JSON-java icon indicating copy to clipboard operation
JSON-java copied to clipboard

Published 20 hours ago verified publisher icon stleary

Question regarding CVE-2023-5072

Open velitchko-valkov opened this issue 2 years ago • 7 comments

Hey! We just got a report that our version of Json in Java - 20131018 , has a new CVE threat. We were wondering, is it compatible to port the changes which fix the CVE to its code and re-compile?

https://github.com/eamonnmcmanus/JSON-java/commit/c8a9e15a57886dbf3e51cd450bde8e0c4599bff3#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

https://github.com/eamonnmcmanus/JSON-java/commit/661114c50dcfd53bb041aab66f14bb91e0a87c8a#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

Would you consider that safe for this older version? For various reasons we cannot update to the newest one. Thanks! Velitchko

velitchko-valkov avatar Oct 19 '23 13:10 velitchko-valkov

@velitchko-valkov I think it should be fine, but will take a closer look later today, and will post then. Does the change to Java 8 have anything to do with why you cannot upgrade?

stleary avatar Oct 19 '23 15:10 stleary

Thank you very much :) No, the java version is not an issue. We have a lot of software components which depend on the older version of org.json,and we are not sure how they will behave if we update. We are considering to upgrade to this year's version,but it might reveal some hidden issues which we don't expect, so we are looking for potential workarounds like this patch. Velitchko

velitchko-valkov avatar Oct 19 '23 15:10 velitchko-valkov

Personally I feel that going back that far (10 years...) is a bit much, but I'm not the one who does the releases, so... I'll leave that to stleary.

johnjaylward avatar Oct 19 '23 16:10 johnjaylward

@velitchko-valkov Did you really mean 20131018? I just assumed that was a typo. Which Java compiler are you using?

stleary avatar Oct 20 '23 00:10 stleary

Hey, we are using JDK 8 and JDK 11 as a compiler, alternating between several different versions of Java to ensure compatibility. On my machine in particular it's jdk1.8.0_131 or jdk11.0.2, depending on my setup. Yes,we are using version 20131018. I hope this doesn't make the analysis impossible. I tried applying the changes to the code from then, but I wasn't sure if it was a good idea (a lot of things have changed since then) , hence I decided to ask.

velitchko-valkov avatar Oct 20 '23 10:10 velitchko-valkov

If you are using a version that old, I'd recommend you create your own branch off the release tag and then apply the patches. Us supporting a fork that old seems unrealistic.

johnjaylward avatar Oct 20 '23 20:10 johnjaylward

Hey, we did as you said, we applied the patch on the code from the old version, so far there are no issues. We will also consider to upgrade to the newest version at some point. Feel free to close this :)

velitchko-valkov avatar Nov 10 '23 13:11 velitchko-valkov

Closing due to issue resolved

stleary avatar Jan 19 '25 17:01 stleary