diff --git a/backport-CVE-2025-57052.patch b/backport-CVE-2025-57052.patch new file mode 100644 index 0000000000000000000000000000000000000000..7577888b001efe3837e1740797ae2bfc53110743 --- /dev/null +++ b/backport-CVE-2025-57052.patch @@ -0,0 +1,23 @@ +From 74e1ff4994aa4139126967f6d289b675b4b36fef Mon Sep 17 00:00:00 2001 +From: Lee +Date: Fri, 5 Sep 2025 14:53:20 +0800 +Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer + (#957) + +this fixes CVE-2025-57052 +--- + cJSON_Utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cJSON_Utils.c b/cJSON_Utils.c +index 63651dfb..8fa24f8e 100644 +--- a/cJSON_Utils.c ++++ b/cJSON_Utils.c +@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po + return 0; + } + +- for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++) ++ for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++) + { + parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0'); diff --git a/cjson.spec b/cjson.spec index 7f2571a1e16ed644383a4c671bb703c634bcac8d..af825eb103697df211028edb0feddb643c3a9c40 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.18 -Release: 4 +Release: 5 Summary: Ultralightweight JSON parser in ANSI C License: MIT @@ -8,6 +8,7 @@ URL: https://github.com/DaveGamble/cJSON Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v%{version}.tar.gz Patch0: cJSON-1.7.18-port-to-newer-cmake.patch Patch0001: backport-CVE-2023-26819.patch +Patch0002: backport-CVE-2025-57052.patch BuildRequires: gcc BuildRequires: cmake @@ -46,6 +47,9 @@ developing applications that use cJSON. %{_includedir}/cjson/ %changelog +* Mon Sep 29 2025 zhangpan - 1.7.18-5 +- Fix CVE-2025-57052 + * Tue Aug 05 2025 zhangpan - 1.7.18-4 - Fix CVE-2023-26819