Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1074088, regarding bookworm-pu: package cjson/1.7.15-1+deb12u2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1074088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Control: affects -1 + src:cjson X-Debbugs-Cc: cj...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm Severity: normal [ Reason ] CVE-2024-31755 [ Impact ] Segmentation violation via the cJSON_SetValuestring function. If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen, which can potentially cause denial of service (DOS). [ Tests ] Upstream's tests continue to pass, no new tests were added since this is a trivial change. [ Risks ] Minimal risk as the patch is trivial and only changes 1 line to fix this security issue. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755) (Closes: #1071742) [ Other info ] Security team have marked it no-dsa. -- Maytham Alsudany Debian Maintainer maytham @ OFTC maytha8 @ Liberadiff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog --- cjson-1.7.15/debian/changelog 2024-04-09 09:30:29.000000000 +0800 +++ cjson-1.7.15/debian/changelog 2024-06-23 14:27:41.000000000 +0800 @@ -1,3 +1,11 @@ +cjson (1.7.15-1+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755) + (Closes: #1071742) + + -- Maytham Alsudany <maytha8the...@gmail.com> Sun, 23 Jun 2024 14:27:41 +0800 + cjson (1.7.15-1+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff -Nru cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch --- cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 1970-01-01 08:00:00.000000000 +0800 +++ cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 2024-06-23 14:27:41.000000000 +0800 @@ -0,0 +1,23 @@ +Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 +From: Up-wind <lj.upw...@gmail.com> +Bug: https://github.com/DaveGamble/cJSON/issues/839 +Bug-Debian: https://bugs.debian.org/1071742 +Acked-by: Maytham Alsudany <maytha8the...@gmail.com> +Subject: [PATCH] Add NULL check to cJSON_SetValuestring() + If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer + dereference will happen. This patch adds the NULL check of valuestring before + it is dereferenced. + . + Fix for CVE-2024-31755. + +--- a/cJSON.c ++++ b/cJSON.c +@@ -406,7 +406,7 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + return NULL; + } + /* return NULL if the object is corrupted */ +- if (object->valuestring == NULL) ++ if (object->valuestring == NULL || valuestring == NULL) + { + return NULL; + } diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series --- cjson-1.7.15/debian/patches/series 2024-04-09 09:29:47.000000000 +0800 +++ cjson-1.7.15/debian/patches/series 2024-06-23 14:27:41.000000000 +0800 @@ -1 +1,2 @@ 0001-add-null-checkings.patch +0002-add-null-check-to-cjson-setvaluestring.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---
