Bug 33133

Summary: cjson new security issues CVE-2023-5047[12]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: cjson-1.7.15-2.mga9.src.rpm CVE: CVE-2023-50471, CVE-2023-50472
Status comment:

Description Nicolas Salguero 2024-04-23 15:46:44 CEST 
Fedora has issued an advisory on April 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY/

The problem is fixed in version 1.7.17 or with the following commit:
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
Nicolas Salguero 2024-04-23 15:47:43 CEST

Source RPM: (none) => cjson-1.7.15-2.mga9.src.rpm
CVE: (none) => CVE-2023-50471, CVE-2023-50472
Status comment: (none) => Fixed upstream in 1.7.17 and patch available from upstream

Comment 1 Lewis Smith 2024-04-24 21:13:23 CEST 
We have had v1.7.17 in Cauldron for some time (thanks to Stig). It needs porting to M9. Assigning to Stig

Assignee: bugsquad => smelror

Comment 2 Nicolas Salguero 2024-04-29 13:59:04 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c. (CVE-2023-50471)

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c. (CVE-2023-50472)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY/
========================

Updated packages in core/updates_testing:
========================
lib(64)cjson1-1.7.15-2.1.mga9
lib(64)cjson-devel-1.7.15-2.1.mga9

from SRPM:
cjson-1.7.15-2.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 1.7.17 and patch available from upstream => (none)

katnatek 2024-04-29 18:37:13 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-04-30 03:44:16 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm


installing lib64cjson-devel-1.7.15-2.1.mga9.x86_64.rpm lib64cjson1-1.7.15-2.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64cjson1           ##################################################################################################
      2/2: lib64cjson-devel      ##################################################################################################

LC_ALL=C urpme lib64cjson1 lib64cjson-devel
removing lib64cjson-devel-1.7.15-2.1.mga9.x86_64 lib64cjson1-1.7.15-2.1.mga9.x86_64
removing package lib64cjson-devel-1.7.15-2.1.mga9.x86_64
      1/2: removing lib64cjson-devel-1.7.15-2.1.mga9.x86_64
                                 ##################################################################################################
removing package lib64cjson1-1.7.15-2.1.mga9.x86_64
      2/2: removing lib64cjson1-1.7.15-2.1.mga9.x86_64
                                 ##################################################################################################
katnatek 2024-04-30 03:44:29 CEST

CC: (none) => andrewsfarm

Comment 4 katnatek 2024-04-30 03:45:20 CEST 
Not previous rounds of these packages, test install/uninstall
Comment 5 Herman Viaene 2024-04-30 14:57:33 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
This is developer's stuff, so as asked above, confirm that installing/uninstalling does not apparently harm the system.
OK to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2024-04-30 21:55:52 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-05-01 00:26:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0156.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED