Описание
Security update for cJSON
This update for cJSON fixes the following issues:
- Update to version 1.7.19
- Check for NULL in cJSON_DetachItemViaPointer.
- Check overlap before calling strcpy in cJSON_SetValuestring.
- Fix Max recursion depth for cJSON_Duplicate to prevent stack exhaustion.
- Allocate memory for the temporary buffer when paring numbers. This fixes CVE-2023-26819. (bsc#1241502)
- Fix the incorrect check in decode_array_index_from_pointer. This fixes CVE-2025-57052. (bsc#1249112)
- Remove not longer needed patch for NULL to deallocated pointers.
Список пакетов
openSUSE Leap 16.0
cJSON-devel-1.7.19-160000.1.1
libcjson1-1.7.19-160000.1.1
Ссылки
- SUSE Security Ratings
- SUSE Bug 1241502
- SUSE Bug 1249112
- SUSE CVE CVE-2023-26819 page
- SUSE CVE CVE-2025-57052 page
Описание
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.
Затронутые продукты
openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1
openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1
Ссылки
- CVE-2023-26819
- SUSE Bug 1241502
Описание
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
Затронутые продукты
openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1
openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1
Ссылки
- CVE-2025-57052
- SUSE Bug 1249112