Bug 34627 - perl-Cpanel-JSON-XS new security issue CVE-2025-40929
Summary: perl-Cpanel-JSON-XS new security issue CVE-2025-40929
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-09-11 13:39 CEST by Nicolas Salguero
Modified: 2025-11-13 19:04 CET (History)
4 users (show)

See Also:
Source RPM: perl-Cpanel-JSON-XS-4.350.0-1.mga9.src.rpm
CVE: CVE-2025-40929
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-09-11 13:39:33 CEST 
CVE-2025-40929: https://www.openwall.com/lists/oss-security/2025/09/08/1
Nicolas Salguero 2025-09-11 13:40:18 CEST

Status comment: (none) => Fixed upstream in 4.40 (aka 4.400.0)
Source RPM: (none) => perl-Cpanel-JSON-XS-4.350.0-1.mga9.src.rpm
CVE: (none) => CVE-2025-40929

Comment 1 Lewis Smith 2025-09-12 09:15:01 CEST 
Assigning to Perl.

Assignee: bugsquad => perl

Comment 2 Nicolas Salguero 2025-11-10 14:08:14 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. (CVE-2025-40929)

References:
https://www.openwall.com/lists/oss-security/2025/09/08/1
========================

Updated package in core/updates_testing:
========================
perl-Cpanel-JSON-XS-4.350.0-1.1.mga9

from SRPM:
perl-Cpanel-JSON-XS-4.350.0-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: perl => qa-bugs
Status comment: Fixed upstream in 4.40 (aka 4.400.0) => (none)

katnatek 2025-11-11 22:59:46 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-11-12 20:18:58 CET 
LC_ALL=C urpmi perl-Cpanel-JSON-XS


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Cpanel-JSON-XS-4.350.0-1.mga9.x86_64.rpm
installing perl-Cpanel-JSON-XS-4.350.0-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms                                                   
Preparing...                     ####################################################################################################
      1/1: perl-Cpanel-JSON-XS   ####################################################################################################

Len can you repeat test in https://bugs.mageia.org/show_bug.cgi?id=31666 ?

CC: (none) => tarazed25

Comment 4 katnatek 2025-11-12 20:21:37 CET 
Now testing the package of this bug :P

LC_ALL=C urpmi perl-Cpanel-JSON-XS


installing perl-Cpanel-JSON-XS-4.350.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/1: perl-Cpanel-JSON-XS   ####################################################################################################
      1/1: removing perl-Cpanel-JSON-XS-4.350.0-1.mga9.x86_64
                                 ####################################################################################################
Comment 5 Herman Viaene 2025-11-13 10:27:01 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Inspired by bug 31666 Comment 4, created json file by making a backup of the firefox bookmarks.
$ cpanel_json_xs <bookmarks-2025-11-13.json >testfile
$ cat testfile 
{
   "children" : [
      {
         "children" : [
            {
               "children" : [
                  {
                     "dateAdded" : 1732783820170000,
                     "guid" : "KbsAR1YzEx0W",
                     "iconUri" : "fake-favicon-uri:https://support.mozilla.org/products/firefox",
                     "id" : 8,
                     "index" : 0,
                     "lastModified" : 1732783820170000,
                     "title" : "Get Help",
                     "type" : "text/x-moz-place",
                     "typeCode" : 1,
                     "uri" : "https://support.mozilla.org/products/firefox"
                  },
                  {
                     "dateAdded" : 1732783820170000,
                     "guid" : "aXNcGR6UL8Oz",
                     "iconUri" : "fake-favicon-uri:https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize",
                     "id" : 9,
                     "index" : 1,
                     "lastModified" : 1732783820170000,
                     "title" : "Customize Firefox",
                     "type" : "text/x-moz-place",
                     "typeCode" : 1,
                     "uri" : "https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize"
                  },
                  {
                     "dateAdded" : 1732783820170000,
                     "guid" : "1fG5nkgdMegL",
                     "iconUri" : "fake-favicon-uri:https://www.mozilla.org/contribute/",
                     "id" : 10,
                     "index" : 2,
                     "lastModified" : 1732783820170000,
                     "title" : "Get Involved",
                     "type" : "text/x-moz-place",
                     "typeCode" : 1,
                     "uri" : "https://www.mozilla.org/contribute/"
                  },
                  {
                     "dateAdded" : 1732783820170000,
                     "guid" : "domwLP-MCXw6",
                     "iconUri" : "fake-favicon-uri:https://www.mozilla.org/about/",
                     "id" : 11,
                     "index" : 3,
                     "lastModified" : 1732783820170000,
                     "title" : "About Us",
                     "type" : "text/x-moz-place",
                     "typeCode" : 1,
                     "uri" : "https://www.mozilla.org/about/"
                  }
               ],
               "dateAdded" : 1732783820170000,
               "guid" : "9ufBMeKB_9L3",
               "id" : 7,
               "index" : 0,
               "lastModified" : 1732783820170000,
               "title" : "Mozilla Firefox",
               "type" : "text/x-moz-place-container",
               "typeCode" : 2
            },
            {
               "dateAdded" : 1732869082609000,
               "guid" : "09hxx1JByus7",
               "id" : 13,
               "index" : 1,
               "lastModified" : 1738593580850000,
               "title" : "Category:Testing procedures - Mageia wiki",
               "type" : "text/x-moz-place",
               "typeCode" : 1,
               "uri" : "https://wiki.mageia.org/en/Category:Testing_procedures"
            }
         ],
         "dateAdded" : 1732783816062000,
         "guid" : "menu________",
         "id" : 2,
         "index" : 0,
         "lastModified" : 1738593580850000,
         "root" : "bookmarksMenuFolder",
         "title" : "menu",
         "type" : "text/x-moz-place-container",
         "typeCode" : 2
      },
      {
         "children" : [
            {
               "dateAdded" : 1732783820462000,
               "guid" : "f_-R2GZlbTpG",
               "id" : 12,
               "index" : 0,
               "lastModified" : 1732783820462000,
               "title" : "Getting Started",
               "type" : "text/x-moz-place",
               "typeCode" : 1,
               "uri" : "https://www.mozilla.org/firefox/central/"
            }
         ],
         "dateAdded" : 1732783816062000,
         "guid" : "toolbar_____",
         "id" : 3,
         "index" : 1,
         "lastModified" : 1738593580850000,
         "root" : "toolbarFolder",
         "title" : "toolbar",
         "type" : "text/x-moz-place-container",
         "typeCode" : 2
      },
      {
         "dateAdded" : 1732783816062000,
         "guid" : "unfiled_____",
         "id" : 5,
         "index" : 3,
         "lastModified" : 1732783820062000,
         "root" : "unfiledBookmarksFolder",
         "title" : "unfiled",
         "type" : "text/x-moz-place-container",
         "typeCode" : 2
      },
      {
         "dateAdded" : 1732783816579000,
         "guid" : "mobile______",
         "id" : 6,
         "index" : 4,
         "lastModified" : 1732783820062000,
         "root" : "mobileFolder",
         "title" : "mobile",
         "type" : "text/x-moz-place-container",
         "typeCode" : 2
      }
   ],
   "dateAdded" : 1732783816062000,
   "guid" : "root________",
   "id" : 1,
   "index" : 0,
   "lastModified" : 1738593580850000,
   "root" : "placesRoot",
   "title" : "",
   "type" : "text/x-moz-place-container",
   "typeCode" : 2
}
Looks good to me, so OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2025-11-13 13:20:54 CET 
In reply to katnatek in comment #3:
Sorry, have only just seen this.  I am really out of the loop these days - so much else to deal with.  QA => 1%.
Comment 7 Thomas Andrews 2025-11-13 17:25:38 CET 
No worries, Len. Take care of yourself.

Thank you, Herman. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2025-11-13 19:04:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0284.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.