Security update for cJSON SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0139-1 Final 1 1 2024-05-25T08:47:48Z current 2024-05-25T08:47:48Z 2024-05-25T08:47:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cJSON This update for cJSON fixes the following issues: - Update to 1.7.18: * CVE-2024-31755: NULL pointer dereference via cJSON_SetValuestring() (boo#1223420) * Remove non-functional list handling of compiler flags * Fix heap buffer overflow * remove misused optimization flag -01 * Set free'd pointers to NULL whenever they are not reassigned immediately after - Update to version 1.7.17 (boo#1218098, CVE-2023-50472, boo#1218099, CVE-2023-50471): * Fix null reference in cJSON_SetValuestring (CVE-2023-50472). * Fix null reference in cJSON_InsertItemInArray (CVE-2023-50471). - Update to 1.7.16: * Add an option for ENABLE_CJSON_VERSION_SO in CMakeLists.txt * Add cmake_policy to CMakeLists.txt * Add cJSON_SetBoolValue * Add meson documentation * Fix memory leak in merge_patch * Fix conflicting target names 'uninstall' * Bump cmake version to 3.0 and use new version syntax * Print int without decimal places * Fix 'cjson_utils-static' target not exist * Add allocate check for replace_item_in_object * Fix a null pointer crash in cJSON_ReplaceItemViaPointer The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36QNMKFWNRJX3XHLNGZ3DNLMLIHSRF4U/ E-Mail link for openSUSE-SU-2024:0139-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1218098 SUSE Bug 1218098 https://bugzilla.suse.com/1218099 SUSE Bug 1218099 https://bugzilla.suse.com/1223420 SUSE Bug 1223420 https://www.suse.com/security/cve/CVE-2023-50471/ SUSE CVE CVE-2023-50471 page https://www.suse.com/security/cve/CVE-2023-50472/ SUSE CVE CVE-2023-50472 page https://www.suse.com/security/cve/CVE-2024-31755/ SUSE CVE CVE-2024-31755 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 cJSON-devel-1.7.18-bp155.3.3.1 libcjson1-1.7.18-bp155.3.3.1 cJSON-devel-1.7.18-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 libcjson1-1.7.18-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 cJSON-devel-1.7.18-bp155.3.3.1 as a component of openSUSE Leap 15.5 libcjson1-1.7.18-bp155.3.3.1 as a component of openSUSE Leap 15.5 cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c. CVE-2023-50471 SUSE Package Hub 15 SP5:cJSON-devel-1.7.18-bp155.3.3.1 SUSE Package Hub 15 SP5:libcjson1-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:cJSON-devel-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:libcjson1-1.7.18-bp155.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36QNMKFWNRJX3XHLNGZ3DNLMLIHSRF4U/ https://www.suse.com/security/cve/CVE-2023-50471.html CVE-2023-50471 https://bugzilla.suse.com/1218099 SUSE Bug 1218099 cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c. CVE-2023-50472 SUSE Package Hub 15 SP5:cJSON-devel-1.7.18-bp155.3.3.1 SUSE Package Hub 15 SP5:libcjson1-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:cJSON-devel-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:libcjson1-1.7.18-bp155.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36QNMKFWNRJX3XHLNGZ3DNLMLIHSRF4U/ https://www.suse.com/security/cve/CVE-2023-50472.html CVE-2023-50472 https://bugzilla.suse.com/1218098 SUSE Bug 1218098 cJSON v1.7.17 was discovered to contain a segmentation violation, which can trigger through the second parameter of function cJSON_SetValuestring at cJSON.c. CVE-2024-31755 SUSE Package Hub 15 SP5:cJSON-devel-1.7.18-bp155.3.3.1 SUSE Package Hub 15 SP5:libcjson1-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:cJSON-devel-1.7.18-bp155.3.3.1 openSUSE Leap 15.5:libcjson1-1.7.18-bp155.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36QNMKFWNRJX3XHLNGZ3DNLMLIHSRF4U/ https://www.suse.com/security/cve/CVE-2024-31755.html CVE-2024-31755 https://bugzilla.suse.com/1223420 SUSE Bug 1223420