new file mode 100644
@@ -0,0 +1,24 @@
+From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001
+From: Marc <34656315+MarcT512@users.noreply.github.com>
+Date: Fri, 7 Aug 2020 10:49:45 +0100
+Subject: [PATCH] Fix read past end of buffer
+
+Resolves https://github.com/json-c/json-c/issues/654
+---
+ apps/json_parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/json_parse.c b/apps/json_parse.c
+index bba4622..72b31a8 100644
+--- a/apps/json_parse.c
++++ b/apps/json_parse.c
+@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *))
+ int parse_end = json_tokener_get_parse_end(tok);
+ if (obj == NULL && jerr != json_tokener_continue)
+ {
+- char *aterr = &buf[start_pos + parse_end];
++ char *aterr = (start_pos + parse_end < sizeof(buf)) ?
++ &buf[start_pos + parse_end] : "";
+ fflush(stdout);
+ int fail_offset = total_read - ret + start_pos + parse_end;
+ fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset,
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
SRC_URI = " \
https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
file://run-ptest \
+ file://CVE-2021-32292.patch \
"
SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6"
This is a read past end of buffer issue in the json_parse test app, which can happened with malformed json data. It's not an issue with the library itself. For what ever reason this CVE has a base score of 9.8. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32292 Upstream issue: https://github.com/json-c/json-c/issues/654 The CVE is fixed with version 0.16 (which is already in all active branches of poky). Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- .../json-c/json-c/CVE-2021-32292.patch | 24 +++++++++++++++++++ meta/recipes-devtools/json-c/json-c_0.15.bb | 1 + 2 files changed, 25 insertions(+) create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch