From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
Date: Tue, 16 Sep 2025 16:06:19 +0200 [thread overview]
Message-ID: <87zfaua3vo.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20250916135142.978443-1-thomas.perale@mind.be> (Thomas Perale's message of "Tue, 16 Sep 2025 15:51:41 +0200")
>>>>> "Thomas" == Thomas Perale <thomas.perale@mind.be> writes:
> Hi Peter,
> In reply of:
>> Fixes the following security issue:
>>
>> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
>> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
>> remote attackers to bypass array bounds checking and access restricted data
>> via malformed JSON pointer strings containing alphanumeric characters
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
>> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
>> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
>> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> I see the CPE reported on NVD for this CVE is the following
> cpe:2.3:a:davegamble:cjson:1.7.18:*:*:*:*:*:*:* while the one present in
> Buildroot is cpe:2.3:a:cjson_project:cjson:1.7.18:*:*:*:*:*:*:*.
> Is 'cjson_project:cjson' still in use ?
Ahh, no idea - Just saw Debian pushing a security update for this.
The CPE was added by:
commit 7edfc478ea16a78b98a1e8172b6de3e3abed989e
Author: Heiko Thiery <heiko.thiery@gmail.com>
Date: Thu Jan 21 14:36:42 2021 +0100
package/cjson: set CJSON_CPE_ID_VALID
cpe:2.3:a:cjson_project:cjson is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cjson
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
And that URL indeed now only shows the davegamble:cjson entries. Care to
send a patch to update the CPE info?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-09-16 14:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06 ` Peter Korsgaard [this message]
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfaua3vo.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox