* [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
@ 2025-09-16 9:31 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-09-16 9:31 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
remote attackers to bypass array bounds checking and access restricted data
via malformed JSON pointer strings containing alphanumeric characters
https://nvd.nist.gov/vuln/detail/CVE-2025-57052
https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
package/cjson/cjson.hash | 2 +-
package/cjson/cjson.mk | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
index 1fe5cd43ef..684773e4da 100644
--- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
+++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
@@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Peter: update for 1.7.19
Upstream: https://github.com/DaveGamble/cJSON/pull/935
---
CMakeLists.txt | 2 +-
@@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
+cmake_minimum_required(VERSION 3.5)
project(cJSON
- VERSION 1.7.18
+ VERSION 1.7.19
diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
index e07ae0f7bf..a876ffafe8 100644
--- a/package/cjson/cjson.hash
+++ b/package/cjson/cjson.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
+sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
index 35304ec618..e0320770cb 100644
--- a/package/cjson/cjson.mk
+++ b/package/cjson/cjson.mk
@@ -4,7 +4,7 @@
#
################################################################################
-CJSON_VERSION = 1.7.18
+CJSON_VERSION = 1.7.19
CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
CJSON_INSTALL_STAGING = YES
CJSON_LICENSE = MIT
--
2.39.5
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
@ 2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06 ` Peter Korsgaard
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 1 reply; 5+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-16 13:51 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
Hi Peter,
In reply of:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I see the CPE reported on NVD for this CVE is the following
cpe:2.3:a:davegamble:cjson:1.7.18:*:*:*:*:*:*:* while the one present in
Buildroot is cpe:2.3:a:cjson_project:cjson:1.7.18:*:*:*:*:*:*:*.
Is 'cjson_project:cjson' still in use ?
Regards,
PERALE Thomas
> ---
> package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
> package/cjson/cjson.hash | 2 +-
> package/cjson/cjson.mk | 2 +-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> index 1fe5cd43ef..684773e4da 100644
> --- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> +++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> @@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
> This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +Peter: update for 1.7.19
> Upstream: https://github.com/DaveGamble/cJSON/pull/935
> ---
> CMakeLists.txt | 2 +-
> @@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
> +cmake_minimum_required(VERSION 3.5)
>
> project(cJSON
> - VERSION 1.7.18
> + VERSION 1.7.19
> diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
> index e07ae0f7bf..a876ffafe8 100644
> --- a/package/cjson/cjson.hash
> +++ b/package/cjson/cjson.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
> +sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
> sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
> diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
> index 35304ec618..e0320770cb 100644
> --- a/package/cjson/cjson.mk
> +++ b/package/cjson/cjson.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -CJSON_VERSION = 1.7.18
> +CJSON_VERSION = 1.7.19
> CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
> CJSON_INSTALL_STAGING = YES
> CJSON_LICENSE = MIT
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 13:51 ` Thomas Perale via buildroot
@ 2025-09-16 14:06 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-09-16 14:06 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
>>>>> "Thomas" == Thomas Perale <thomas.perale@mind.be> writes:
> Hi Peter,
> In reply of:
>> Fixes the following security issue:
>>
>> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
>> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
>> remote attackers to bypass array bounds checking and access restricted data
>> via malformed JSON pointer strings containing alphanumeric characters
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
>> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
>> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
>> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> I see the CPE reported on NVD for this CVE is the following
> cpe:2.3:a:davegamble:cjson:1.7.18:*:*:*:*:*:*:* while the one present in
> Buildroot is cpe:2.3:a:cjson_project:cjson:1.7.18:*:*:*:*:*:*:*.
> Is 'cjson_project:cjson' still in use ?
Ahh, no idea - Just saw Debian pushing a security update for this.
The CPE was added by:
commit 7edfc478ea16a78b98a1e8172b6de3e3abed989e
Author: Heiko Thiery <heiko.thiery@gmail.com>
Date: Thu Jan 21 14:36:42 2021 +0100
package/cjson: set CJSON_CPE_ID_VALID
cpe:2.3:a:cjson_project:cjson is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cjson
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
And that URL indeed now only shows the davegamble:cjson entries. Care to
send a patch to update the CPE info?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
@ 2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Julien Olivain via buildroot @ 2025-09-16 18:53 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: buildroot
On 16/09/2025 11:31, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access
> via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted
> data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 18:53 ` Julien Olivain via buildroot
@ 2025-09-25 20:16 ` Thomas Perale via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-25 20:16 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
In reply of:
> Fixes the following security issue:
>
> CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
> the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
> remote attackers to bypass array bounds checking and access restricted data
> via malformed JSON pointer strings containing alphanumeric characters
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-57052
> https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
> https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
> https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks
> ---
> package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
> package/cjson/cjson.hash | 2 +-
> package/cjson/cjson.mk | 2 +-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> index 1fe5cd43ef..684773e4da 100644
> --- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> +++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
> @@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
> This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +Peter: update for 1.7.19
> Upstream: https://github.com/DaveGamble/cJSON/pull/935
> ---
> CMakeLists.txt | 2 +-
> @@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
> +cmake_minimum_required(VERSION 3.5)
>
> project(cJSON
> - VERSION 1.7.18
> + VERSION 1.7.19
> diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
> index e07ae0f7bf..a876ffafe8 100644
> --- a/package/cjson/cjson.hash
> +++ b/package/cjson/cjson.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5 cjson-1.7.18.tar.gz
> +sha256 7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562 cjson-1.7.19.tar.gz
> sha256 a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c LICENSE
> diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
> index 35304ec618..e0320770cb 100644
> --- a/package/cjson/cjson.mk
> +++ b/package/cjson/cjson.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -CJSON_VERSION = 1.7.18
> +CJSON_VERSION = 1.7.19
> CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
> CJSON_INSTALL_STAGING = YES
> CJSON_LICENSE = MIT
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-09-25 20:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-16 9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06 ` Peter Korsgaard
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox