Package: libcjson1 Version: 1.7.10-1.1 Severity: normal Tags: patch Dear Maintainer,
Version 1.7.10-1.1 is the most recent version on stable, so many user depend on it. The last release included a patch for CVE-2019-11835 (issue #338 on upstream). However, this patch introduced a bug in the patched function cJSON_Minify (issue #354 on upstream). There is a (potentail) infinite loop in the relevant function. The issue has been fixed in commit 08d2bc766a82cd75764d036f9efef444590d1cf9 The fix is included in newer releases, so it is included on debian testing. I request to patch this issue on stable. The fix is very small (only two lines of code). Thanks for your help. -- System Information: Debian Release: 10.6 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libcjson1 depends on: ii libc6 2.30-4 libcjson1 recommends no packages. libcjson1 suggests no packages. -- no debconf information