Bug#1071742: marked as done (cjson: CVE-2024-31755)

[Debian Bug Tracking System]

Your message dated Mon, 01 Jul 2024 18:02:30 +0000
with message-id <e1solme-005fxs...@fasolo.debian.org>
and subject line Bug#1071742: fixed in cjson 1.7.14-1+deb11u1
has caused the Debian Bug report #1071742,
regarding cjson: CVE-2024-31755
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1071742: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: cjson
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for cjson.

CVE-2024-31755[0]:
| cJSON v1.7.17 was discovered to contain a segmentation violation,
| which can trigger through the second parameter of function
| cJSON_SetValuestring at cJSON.c.

https://github.com/DaveGamble/cJSON/issues/839
https://github.com/DaveGamble/cJSON/pull/840
https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-31755
    https://www.cve.org/CVERecord?id=CVE-2024-31755

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: cjson
Source-Version: 1.7.14-1+deb11u1
Done: Maytham Alsudany <maytha8the...@gmail.com>

We believe that the bug you reported is fixed in the latest version of
cjson, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maytham Alsudany <maytha8the...@gmail.com> (supplier of updated cjson package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 23 Jun 2024 15:27:49 +0800
Source: cjson
Architecture: source
Version: 1.7.14-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Boyuan Yang <by...@debian.org>
Changed-By: Maytham Alsudany <maytha8the...@gmail.com>
Closes: 1059287 1071742
Changes:
 cjson (1.7.14-1+deb11u1) bullseye; urgency=medium
 .
   * Non-maintainer upload.
   * Backport patch to add NULL checks to cJSON_SetValuestring and
     cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
     (Closes: #1059287, #1071742)
Checksums-Sha1:
 762e6beece6ee6ec81fb4107e98ca917e316dd1f 1932 cjson_1.7.14-1+deb11u1.dsc
 52cda2adb85892c12e00b95162daeff0e9ce6327 4688 
cjson_1.7.14-1+deb11u1.debian.tar.xz
 5865a68555316ec1243907412f4b234d7c373c30 7566 
cjson_1.7.14-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 3684980e1ecf321f8049ec1a6db5cac5774ce5926733cc2eb93a38545c363615 1932 
cjson_1.7.14-1+deb11u1.dsc
 00155fb879246c9d2f10e318469a680858aca4878db2c0ffb73359374e4ab8e8 4688 
cjson_1.7.14-1+deb11u1.debian.tar.xz
 371917ebd6e8d1255ac7a38295ffdb62a5faf7e3ecd5b2acef501572bd7208d1 7566 
cjson_1.7.14-1+deb11u1_amd64.buildinfo
Files:
 342446c3235ca462c79dedf9a7cb22c2 1932 libs optional cjson_1.7.14-1+deb11u1.dsc
 8bf597cf4028a46a59aca626f201e5f1 4688 libs optional 
cjson_1.7.14-1+deb11u1.debian.tar.xz
 a400e8130d6e456223a3271bc4a2ec6f 7566 libs optional 
cjson_1.7.14-1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmaA1Y4YHG1heXRoYTh0
aGVkZXZAZ21haWwuY29tAAoJENWXiXIGxfB/ue0P/j/XbcSpC59F7DnIFr7sbv2M
l+0RXxQ4JOd6AX1r7JW1ErnFHjaKVggss/XTWOSdySOL6j3dahKheO92EvN7nZC7
xMq8gxGNpWPi72N+5ETmOLwFlojbB8Y2OiBvmFSEPpvHLD3xHz/tutAr644U06PC
1jCEk2lwaVPZn3rXZlK8mn1WkfFx5tIP8HuHSgGOspvn4XDuhnxrdp6yQhbebpbm
BZHO50s2T7fHvh/NeGQnf2PvxB8GX+A6Bv/9pfzhstvciT6amE/Xr4eV1gE4ooy7
Cpqog5LhVXrW/+A6Jr4itAYzU0NoS3vSQCwGwbcDInnpZmVglkcdyUWV6DeNS5CT
+9P2FFrFT0p3wMgKCrSlWFlW+CHcXlwctC3u831kXl3aBlHt2V8gvcW3vH5XFd/l
/RE+KmBAIjDzJKcFQr4ZMf8znc7YR2vH09HUfmVvPRdIed719OBe1BLEjkZStLaJ
I+ymS9DTJfrBeJmUapX7vtPc5d6cbH3cfcAT9SxkqkwxaH/Jk2XQ37e/3rIrD4Z7
hh7+CfLVh92ohqSIe2cLTClPB1/aVgBbR7TYYen85JXM/8b3cm0u+P5ezjA081b7
2zMEkIW+svaHnB1NuKk7oMWYRpNZqAOoW8A5/SvlEeL3ec5laGA9Mt45PJhqdgNm
HCcd50nvpOskW/eHlYhz
=ecgW
-----END PGP SIGNATURE-----

pgpxc42b1uaNT.pgp
Description: PGP signature

--- End Message ---