Fedora has issued an advisory on April 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY/ The problem is fixed in version 1.7.17 or with the following commit: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
Source RPM: (none) => cjson-1.7.15-2.mga9.src.rpmCVE: (none) => CVE-2023-50471, CVE-2023-50472Status comment: (none) => Fixed upstream in 1.7.17 and patch available from upstream
We have had v1.7.17 in Cauldron for some time (thanks to Stig). It needs porting to M9. Assigning to Stig
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c. (CVE-2023-50471) cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c. (CVE-2023-50472) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY/ ======================== Updated packages in core/updates_testing: ======================== lib(64)cjson1-1.7.15-2.1.mga9 lib(64)cjson-devel-1.7.15-2.1.mga9 from SRPM: cjson-1.7.15-2.1.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: smelror => qa-bugsStatus comment: Fixed upstream in 1.7.17 and patch available from upstream => (none)
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm installing lib64cjson-devel-1.7.15-2.1.mga9.x86_64.rpm lib64cjson1-1.7.15-2.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64cjson1 ################################################################################################## 2/2: lib64cjson-devel ################################################################################################## LC_ALL=C urpme lib64cjson1 lib64cjson-devel removing lib64cjson-devel-1.7.15-2.1.mga9.x86_64 lib64cjson1-1.7.15-2.1.mga9.x86_64 removing package lib64cjson-devel-1.7.15-2.1.mga9.x86_64 1/2: removing lib64cjson-devel-1.7.15-2.1.mga9.x86_64 ################################################################################################## removing package lib64cjson1-1.7.15-2.1.mga9.x86_64 2/2: removing lib64cjson1-1.7.15-2.1.mga9.x86_64 ##################################################################################################
CC: (none) => andrewsfarm
Not previous rounds of these packages, test install/uninstall
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. This is developer's stuff, so as asked above, confirm that installing/uninstalling does not apparently harm the system. OK to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0156.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED