Hi, Disclaimer, this is not an authoritative answer as I'm not part of the stable release managers.
On Mon, Apr 08, 2024 at 12:27:50PM +0300, Maytham Alsudany wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: cj...@packages.debian.org > Control: affects -1 + src:cjson > > [ Reason ] > CVE-2023-50472, CVE-2023-50471 > > [ Impact ] > Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c > > [ Tests ] > Upstream's test continue to pass, and they have also added new tests to > cover this security issue. > > [ Risks ] > Minimal, no change to API. Only minimal changes were made to fix this > security issue. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - Set myself as Maintainer (I am adopting the package, #1067510) > - Bump Standards-Version to 4.6.2 > - Add Build-Depends-Package to symbools > - Backport upstream's patch to 'add NULL checkings'. > Upstream adds a few more if statements to avoid the segmentation > fault, and thus resolve the security vulnerability. > > [ Other info ] > If you can spare the time, could you please upload this for me? (I need > a sponsor, #1068624.) I'm also still waiting for someone to give me > access to the Salsa repo. > > Thanks, > Maytham > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.000000000 +0300 > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.000000000 +0300 > @@ -1,3 +1,13 @@ > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium The target distribution should be simply bookworm. > + > + * Update Maintainer field > + * Bump Standards-Version to 4.6.2 (no changes) This is usually not allowed to do in a stable update. > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) > + (Closes: #1059287) > + * Add Build-Depends-Package to symbols While this might be sensible, I'm not sure if SRM will accept it. So you might want to adjust already the things above and seek for an ack from SRM. Regards, Salvatore