pyrox.dev / nixpkgs
lol
fork atom

perlPackages.JSONXS: Patch for CVE-2025-40928

Stig Palmquist b01a8eb4 e6994e19

options
unified split
Changed files
+32
pkgs
development
perl-modules
JSON-XS-CVE-2025-40928.patch
top-level
perl-packages.nix
+31
pkgs/development/perl-modules/JSON-XS-CVE-2025-40928.patch 
···

       

       
1

       
+

       
--- a/XS.xs	2025-09-06 08:34:51.376455632 -0300


     

       

       
2

       
+

       
+++ b/XS.xs	2025-09-06 08:35:30.725873619 -0300


     

       

       
3

       
+

       
@@ -253,16 +253,16 @@


     

       

       
4

       
+

       
   // if we recurse too deep, skip all remaining digits


     

       

       
5

       
+

       
   // to avoid a stack overflow attack


     

       

       
6

       
+

       
   if (expect_false (--maxdepth <= 0))


     

       

       
7

       
+

       
-    while (((U8)*s - '0') < 10)


     

       

       
8

       
+

       
+    while ((U8)(*s - '0') < 10)


     

       

       
9

       
+

       
       ++s;


     

       

       
10

       
+

       
 


     

       

       
11

       
+

       
   for (;;)


     

       

       
12

       
+

       
     {


     

       

       
13

       
+

       
-      U8 dig = (U8)*s - '0';


     

       

       
14

       
+

       
+      U8 dig = *s - '0';


     

       

       
15

       
+

       
 


     

       

       
16

       
+

       
       if (expect_false (dig >= 10))


     

       

       
17

       
+

       
         {


     

       

       
18

       
+

       
-          if (dig == (U8)((U8)'.' - (U8)'0'))


     

       

       
19

       
+

       
+          if (dig == (U8)('.' - '0'))


     

       

       
20

       
+

       
             {


     

       

       
21

       
+

       
               ++s;


     

       

       
22

       
+

       
               json_atof_scan1 (s, accum, expo, 1, maxdepth);


     

       

       
23

       
+

       
@@ -282,7 +282,7 @@


     

       

       
24

       
+

       
               else if (*s == '+')


     

       

       
25

       
+

       
                 ++s;


     

       

       
26

       
+

       
 


     

       

       
27

       
+

       
-              while ((dig = (U8)*s - '0') < 10)


     

       

       
28

       
+

       
+              while ((dig = (U8)(*s - '0')) < 10)


     

       

       
29

       
+

       
                 exp2 = exp2 * 10 + *s++ - '0';


     

       

       
30

       
+

       
 


     

       

       
31

       
+

       
               *expo += neg ? -exp2 : exp2;
+1
pkgs/top-level/perl-packages.nix 
···

       
18304

       
18304

       
 

       
      url = "mirror://cpan/authors/id/M/ML/MLEHMANN/JSON-XS-4.03.tar.gz";


     

       
18305

       
18305

       
 

       
      hash = "sha256-UVU29F8voafojIgkUzdY0BIdJnq5y0U6G1iHyKVrkGg=";


     

       
18306

       
18306

       
 

       
    };


     

       

       
18307

       
+

       
    patches = [ ../development/perl-modules/JSON-XS-CVE-2025-40928.patch ];


     

       
18307

       
18308

       
 

       
    propagatedBuildInputs = [ TypesSerialiser ];


     

       
18308

       
18309

       
 

       
    buildInputs = [ CanaryStability ];


     

       
18309

       
18310

       
 

       
    meta = {