Version in base suite: 1.7.15-1+deb12u3

Base version: cjson_1.7.15-1+deb12u3
Target version: cjson_1.7.15-1+deb12u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cjson/cjson_1.7.15-1+deb12u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cjson/cjson_1.7.15-1+deb12u4.dsc

 changelog                    |    6 ++++++
 patches/CVE-2025-57052.patch |   17 +++++++++++++++++
 patches/series               |    1 +
 3 files changed, 24 insertions(+)

gpgv: Signature made Fri Sep 12 21:45:38 2025 UTC
gpgv:                using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgbsdy0nx/cjson_1.7.15-1+deb12u4.dsc: no acceptable signature found
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog	2025-06-13 16:20:51.000000000 +0000
+++ cjson-1.7.15/debian/changelog	2025-09-11 22:15:27.000000000 +0000
@@ -1,3 +1,9 @@
+cjson (1.7.15-1+deb12u4) bookworm-security; urgency=medium
+
+  * CVE-2025-57052 (Closes: #1114757)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 12 Sep 2025 00:15:27 +0200
+
 cjson (1.7.15-1+deb12u3) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cjson-1.7.15/debian/patches/CVE-2025-57052.patch cjson-1.7.15/debian/patches/CVE-2025-57052.patch
--- cjson-1.7.15/debian/patches/CVE-2025-57052.patch	1970-01-01 00:00:00.000000000 +0000
+++ cjson-1.7.15/debian/patches/CVE-2025-57052.patch	2025-09-11 22:15:27.000000000 +0000
@@ -0,0 +1,17 @@
+From 74e1ff4994aa4139126967f6d289b675b4b36fef Mon Sep 17 00:00:00 2001
+From: Lee <peteralfredlee@gmail.com>
+Date: Fri, 5 Sep 2025 14:53:20 +0800
+Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer
+ (#957)
+
+--- cjson-1.7.15.orig/cJSON_Utils.c
++++ cjson-1.7.15/cJSON_Utils.c
+@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_fro
+         return 0;
+     }
+ 
+-    for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++)
++    for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++)
+     {
+         parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0');
+ 
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series	2025-06-13 16:20:51.000000000 +0000
+++ cjson-1.7.15/debian/patches/series	2025-09-11 22:15:27.000000000 +0000
@@ -2,3 +2,4 @@
 0002-add-null-check-to-cjson-setvaluestring.patch
 0001-allocate-memory-for-the-temporary-buffer.patch
 0002-Fix-heap-buffer-overflow.patch
+CVE-2025-57052.patch