Question regarding CVE-2023-5072

[velitchko-valkov]

Hey!
We just got a report that our version of Json in Java - 20131018 , has a new CVE threat.
We were wondering, is it compatible to port the changes which fix the CVE to its code and re-compile?

eamonnmcmanus@c8a9e15#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

eamonnmcmanus@661114c#diff-ef151e65679a81ad727c5af36a8d84dd867146a5da1dede68b4c37f4866ab57b

Would you consider that safe for this older version? For various reasons we cannot update to the newest one.
Thanks!
Velitchko

[stleary]

@velitchko-valkov I think it should be fine, but will take a closer look later today, and will post then.
Does the change to Java 8 have anything to do with why you cannot upgrade?

[velitchko-valkov]

Thank you very much :)
No, the java version is not an issue. We have a lot of software components which depend on the older version of org.json,and we are not sure how they will behave if we update. We are considering to upgrade to this year's version,but it might reveal some hidden issues which we don't expect, so we are looking for potential workarounds like this patch.
Velitchko

[johnjaylward]

Personally I feel that going back that far (10 years...) is a bit much, but I'm not the one who does the releases, so... I'll leave that to stleary.

[stleary]

@velitchko-valkov Did you really mean 20131018? I just assumed that was a typo.
Which Java compiler are you using?

[velitchko-valkov]

Hey, we are using JDK 8 and JDK 11 as a compiler, alternating between several different versions of Java to ensure compatibility. On my machine in particular it's jdk1.8.0_131 or jdk11.0.2, depending on my setup.
Yes,we are using version 20131018. I hope this doesn't make the analysis impossible.
I tried applying the changes to the code from then, but I wasn't sure if it was a good idea (a lot of things have changed since then) , hence I decided to ask.

[johnjaylward]

If you are using a version that old, I'd recommend you create your own branch off the release tag and then apply the patches. Us supporting a fork that old seems unrealistic.

[velitchko-valkov]

Hey, we did as you said, we applied the patch on the code from the old version, so far there are no issues. We will also consider to upgrade to the newest version at some point.
Feel free to close this :)

[stleary]

Closing due to issue resolved