Source: cjson Version: 1.7.18-4 Severity: wishlist Dear maintainer,
just filing separately what I previously mentioned in <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112781#21>: There is a new upstream release at <https://github.com/DaveGamble/cJSON/releases/tag/v1.7.19>, which also contains the fix for CVE-2025-57052, i.e. it fixes the incorrect check in decode_array_index_from_pointer, cf. <https://sources.debian.org/src/cjson/1.7.18-3.1%2Bdeb13u1/debian/patches/CVE-2025-57052.patch-> and <https://github.com/DaveGamble/cJSON/pull/957>. Its list of fixes contains: - Fix indentation (should use spaces), see #814 - Fix spelling errors found by CodeSpell, see #841 - Check for NULL in cJSON_DetachItemViaPointer, fixes #882, see #886 - Fix #881, check overlap before calling strcpy in cJSON_SetValuestring, see #885 - Fix #880 Max recursion depth for cJSON_Duplicate to prevent stack exhaustion, see #888 - Allocate memory for the temporary buffer when paring numbers, see #939 - fix the incorrect check in decode_array_index_from_pointer, see #957 Please package this when you think it is due time. Cheers, Flo
signature.asc
Description: PGP signature
