Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19
@ 2025-09-16  9:31 Peter Korsgaard
  2025-09-16 13:51 ` Thomas Perale via buildroot
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-09-16  9:31 UTC (permalink / raw)
  To: buildroot

Fixes the following security issue:

CVE-2025-57052: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via
the decode_array_index_from_pointer function in cJSON_Utils.c, allowing
remote attackers to bypass array bounds checking and access restricted data
via malformed JSON pointer strings containing alphanumeric characters

https://nvd.nist.gov/vuln/detail/CVE-2025-57052
https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability
https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef
https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/cjson/0001-make_compatible_with_cmake_4.0.patch | 4 +++-
 package/cjson/cjson.hash                                | 2 +-
 package/cjson/cjson.mk                                  | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/package/cjson/0001-make_compatible_with_cmake_4.0.patch b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
index 1fe5cd43ef..684773e4da 100644
--- a/package/cjson/0001-make_compatible_with_cmake_4.0.patch
+++ b/package/cjson/0001-make_compatible_with_cmake_4.0.patch
@@ -16,6 +16,8 @@ CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
 This change raises the minimum required CMake version to 3.5 and thus makes the project compatible with CMake 4.0
 
 Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Peter: update for 1.7.19
 Upstream: https://github.com/DaveGamble/cJSON/pull/935
 ---
  CMakeLists.txt | 2 +-
@@ -31,4 +33,4 @@ index 36a6cb57..9428da58 100644
 +cmake_minimum_required(VERSION 3.5)
  
  project(cJSON
-     VERSION 1.7.18
+     VERSION 1.7.19
diff --git a/package/cjson/cjson.hash b/package/cjson/cjson.hash
index e07ae0f7bf..a876ffafe8 100644
--- a/package/cjson/cjson.hash
+++ b/package/cjson/cjson.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  3aa806844a03442c00769b83e99970be70fbef03735ff898f4811dd03b9f5ee5  cjson-1.7.18.tar.gz
+sha256  7fa616e3046edfa7a28a32d5f9eacfd23f92900fe1f8ccd988c1662f30454562  cjson-1.7.19.tar.gz
 sha256  a36dda207c36db5818729c54e7ad4e8b0c6fba847491ba64f372c1a2037b6d5c  LICENSE
diff --git a/package/cjson/cjson.mk b/package/cjson/cjson.mk
index 35304ec618..e0320770cb 100644
--- a/package/cjson/cjson.mk
+++ b/package/cjson/cjson.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CJSON_VERSION = 1.7.18
+CJSON_VERSION = 1.7.19
 CJSON_SITE = $(call github,DaveGamble,cjson,v$(CJSON_VERSION))
 CJSON_INSTALL_STAGING = YES
 CJSON_LICENSE = MIT
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-09-25 20:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-16  9:31 [Buildroot] [PATCH] package/cjson: security bump to version 1.7.19 Peter Korsgaard
2025-09-16 13:51 ` Thomas Perale via buildroot
2025-09-16 14:06   ` Peter Korsgaard
2025-09-16 18:53 ` Julien Olivain via buildroot
2025-09-25 20:16 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox