* [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
@ 2025-09-16 9:31 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-09-16 9:31 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
remote attackers to bypass array bounds checking and access restricted data
via malformed JSON pointer strings containing alphanumeric characters
https://nvd.nist.gov/vuln/detail/CVE-2025-57052
https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
package/cjson/cjson.hash | 2 +-
package/cjson/cjson.mk | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
index 1fe5cd43ef..684773e4da 100644
--- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
+++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
@@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Peter: update for 1.7.19
Upstream: https://github.com/DaveGamble/cJSON/pull/935
---
CMakeLists.txt | 2 +-
@@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
+cmake_minimum_required(VERSION 3.5)
project(cJSON
- VERSION 1.7.18
+ VERSION 1.7.19
diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
index e07ae0f7bf..a876ffafe8 100644
--- a/package/cjson/cjson.hash
+++ b/package/cjson/cjson.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
+sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
index 35304ec618..e0320770cb 100644
--- a/package/cjson/cjson.mk
+++ b/package/cjson/cjson.mk
@@ -4,7 +4,7 @@
#
################################################################################
-CJSON_VERSION = 1.7.18
+CJSON_VERSION = 1.7.19
CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
CJSON_INSTALL_STAGING = YES
CJSON_LICENSE = MIT
--
2.39.5
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
@ 2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06 ` Peter Korsgaard
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 1 reply; 5+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-16 13:51 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
Hi Peter,
In reply of:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I see the CPE reported on NVD for this CVE is the following
cpe:2.3:a:davegamble:cjson:1.7.18:*:*:*:*:*:*:* while the one present in
Buildroot is cpe:2.3:a:cjson_project:cjson:1.7.18:*:*:*:*:*:*:*.
Is 'cjson_project:cjson' still in use ?
Regards,
PERALE Thomas
> ---
> package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
> package/cjson/cjson.hash | 2 +-
> package/cjson/cjson.mk | 2 +-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> index 1fe5cd43ef..684773e4da 100644
> --- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> +++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> @@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
> This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +Peter: update for 1.7.19
> Upstream: https://github.com/DaveGamble/cJSON/pull/935
> ---
> CMakeLists.txt | 2 +-
> @@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
> +cmake_minimum_required(VERSION 3.5)
>
> project(cJSON
> - VERSION 1.7.18
> + VERSION 1.7.19
> diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
> index e07ae0f7bf..a876ffafe8 100644
> --- a/package/cjson/cjson.hash
> +++ b/package/cjson/cjson.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
> +sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
> sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
> diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
> index 35304ec618..e0320770cb 100644
> --- a/package/cjson/cjson.mk
> +++ b/package/cjson/cjson.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -CJSON_VERSION = 1.7.18
> +CJSON_VERSION = 1.7.19
> CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
> CJSON_INSTALL_STAGING = YES
> CJSON_LICENSE = MIT
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 13:51 ` Thomas Perale via buildroot
@ 2025-09-16 14:06 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-09-16 14:06 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
>>>>> "Thomas" == Thomas Perale <thomas.perale@mind.be> writes:
> Hi Peter,
> In reply of:
>> Fixes the following security issue:
>>
>> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
>> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
>> remote attackers to bypass array bounds checking and access restricted data
>> via malformed JSON pointer strings containing alphanumeric characters
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
>> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
>> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
>> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> I see the CPE reported on NVD for this CVE is the following
> cpe:2.3:a:davegamble:cjson:1.7.18:*:*:*:*:*:*:* while the one present in
> Buildroot is cpe:2.3:a:cjson_project:cjson:1.7.18:*:*:*:*:*:*:*.
> Is 'cjson_project:cjson' still in use ?
Ahh, no idea - Just saw Debian pushing a security update for this.
The CPE was added by:
commit 7edfc478ea16a78b98a1e8172b6de3e3abed989e
Author: Heiko Thiery <heiko.thiery@gmail.com>
Date: Thu Jan 21 14:36:42 2021 +0100
package/cjson: set CJSON_CPE_ID_VALID
cpe:2.3:a:cjson_project:cjson is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cjson
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
And that URL indeed now only shows the davegamble:cjson entries. Care to
send a patch to update the CPE info?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
@ 2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Julien Olivain via buildroot @ 2025-09-16 18:53 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: buildroot
On 16/09/2025 11:31, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access
> via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted
> data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 18:53 ` Julien Olivain via buildroot
@ 2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-25 20:16 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
In reply of:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks
> ---
> package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
> package/cjson/cjson.hash | 2 +-
> package/cjson/cjson.mk | 2 +-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> index 1fe5cd43ef..684773e4da 100644
> --- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> +++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> @@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
> This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +Peter: update for 1.7.19
> Upstream: https://github.com/DaveGamble/cJSON/pull/935
> ---
> CMakeLists.txt | 2 +-
> @@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
> +cmake_minimum_required(VERSION 3.5)
>
> project(cJSON
> - VERSION 1.7.18
> + VERSION 1.7.19
> diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
> index e07ae0f7bf..a876ffafe8 100644
> --- a/package/cjson/cjson.hash
> +++ b/package/cjson/cjson.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
> +sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
> sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
> diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
> index 35304ec618..e0320770cb 100644
> --- a/package/cjson/cjson.mk
> +++ b/package/cjson/cjson.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -CJSON_VERSION = 1.7.18
> +CJSON_VERSION = 1.7.19
> CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
> CJSON_INSTALL_STAGING = YES
> CJSON_LICENSE = MIT
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-09-25 20:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06 ` Peter Korsgaard
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.