From 3e21373eb6c092732720f42bd905606097b44e0a Mon Sep 17 00:00:00 2001
From: Alex Miller <alex@puredanger.com>
Date: Tue, 5 Mar 2024 16:52:18 -0600
Subject: [PATCH] Improve GHSA-vr64-r9qj-h27f

---
 .../02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json  | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/advisories/github-reviewed/2024/02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json b/advisories/github-reviewed/2024/02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json
index c7e0a42f7b2cb..4579b5de38eb2 100644
--- a/advisories/github-reviewed/2024/02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json
+++ b/advisories/github-reviewed/2024/02/GHSA-vr64-r9qj-h27f/GHSA-vr64-r9qj-h27f.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vr64-r9qj-h27f",
-  "modified": "2024-03-01T16:56:52Z",
+  "modified": "2024-03-01T16:56:53Z",
   "published": "2024-02-29T03:33:18Z",
   "aliases": [
     "CVE-2024-22871"
   ],
-  "summary": "Clojure Denial of Service vulnerability",
-  "details": "An issue in Clojure versions 1.2.0 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the `clojure.core$partial$fn__5920` function.",
+  "summary": "Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service",
+  "details": "Any program on the JVM may read serialized objects via [java.io.ObjectInputStream.readObject()](https://docs.oracle.com/javase/8/docs/api/java/io/ObjectInputStream.html#readObject--). Reading serialized objects from an untrusted source is **inherently unsafe** (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.\n\nClojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map. \n\nThe exploit requires:\n\n1. Crafting a serialized HashMap object with an infinite seq object as a key.\n2. Sending that to a program that reads serialized objects via ObjectInputStream.readObject().\n\nThis will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).\n\nThe affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.2.0-1.12.0-alpha8.",
   "severity": [
 
   ],
@@ -25,7 +25,7 @@
               "introduced": "1.2.0"
             },
             {
-              "last_affected": "1.12.0-alpha5"
+              "last_affected": "1.12.0-alpha8"
             }
           ]
         }
@@ -37,6 +37,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22871"
     },
+    {
+      "type": "WEB",
+      "url": "https://clojure.atlassian.net/browse/CLJ-2839"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/clojure/clojure"