From the changelog: * CVE-2022-31116: * Replace `wchar_t` string decoding implementation with a `uint32_t`-based one (#555) @JustAnotherArchivist * Fix handling of surrogates on decoding (#550) @JustAnotherArchivist * CVE-2022-31117: Potential double free of buffer during string decoding @JustAnotherArchivist * Fix memory leak on encoding errors when the buffer was resized (#549) @JustAnotherArchivist * Integer parsing: always detect overflows (#544) @NaN-git * Fix handling of surrogates on encoding (#530) @JustAnotherArchivist It seems that the CVEs are not published yet.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cdd0be6e1942f6fd398390a7d40b198b4617986a commit cdd0be6e1942f6fd398390a7d40b198b4617986a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-03-03 10:43:37 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-03-03 10:43:59 +0000 [ GLSA 202403-03 ] UltraJSON: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/855689 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202403-03.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
