Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question regarding CVE-2023-5072 #811

Open
velitchko-valkov opened this issue Oct 19, 2023 · 7 comments
Open

Question regarding CVE-2023-5072 #811

velitchko-valkov opened this issue Oct 19, 2023 · 7 comments
Labels
No changes at this time

Comments

@velitchko-valkov
Copy link

Hey!
We just got a report that our version of Json in Java - 20131018 , has a new CVE threat.
We were wondering, is it compatible to port the changes which fix the CVE to its code and re-compile?

eamonnmcmanus@c8a9e15#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

eamonnmcmanus@661114c#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

Would you consider that safe for this older version? For various reasons we cannot update to the newest one.
Thanks!
Velitchko
@stleary
Copy link
Owner

stleary commented Oct 19, 2023

@velitchko-valkov I think it should be fine, but will take a closer look later today, and will post then.
Does the change to Java 8 have anything to do with why you cannot upgrade?

@velitchko-valkov
Copy link
Author

Thank you very much :)
No, the java version is not an issue. We have a lot of software components which depend on the older version of org.json,and we are not sure how they will behave if we update. We are considering to upgrade to this year's version,but it might reveal some hidden issues which we don't expect, so we are looking for potential workarounds like this patch.
Velitchko

@johnjaylward
Copy link
Contributor

Personally I feel that going back that far (10 years...) is a bit much, but I'm not the one who does the releases, so... I'll leave that to stleary.

@stleary
Copy link
Owner

stleary commented Oct 20, 2023
edited

@velitchko-valkov Did you really mean 20131018? I just assumed that was a typo.
Which Java compiler are you using?

@velitchko-valkov
Copy link
Author

velitchko-valkov commented Oct 20, 2023
edited

Hey, we are using JDK 8 and JDK 11 as a compiler, alternating between several different versions of Java to ensure compatibility. On my machine in particular it's jdk1.8.0_131 or jdk11.0.2, depending on my setup.
Yes,we are using version 20131018. I hope this doesn't make the analysis impossible.
I tried applying the changes to the code from then, but I wasn't sure if it was a good idea (a lot of things have changed since then) , hence I decided to ask.

@johnjaylward
Copy link
Contributor

If you are using a version that old, I'd recommend you create your own branch off the release tag and then apply the patches. Us supporting a fork that old seems unrealistic.

@stleary stleary mentioned this issue Oct 24, 2023
Merged
@velitchko-valkov
Copy link
Author

Hey, we did as you said, we applied the patch on the code from the old version, so far there are no issues. We will also consider to upgrade to the newest version at some point.
Feel free to close this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
No changes at this time
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johnjaylward @stleary @velitchko-valkov