Hi,

The following vulnerability was published for rapidjson.

CVE-2024-38517[0]:
| Tencent RapidJSON is vulnerable to privilege escalation due to an
| integer underflow in the `GenericReader::ParseNumber()` function of
| `include/rapidjson/reader.h` when parsing JSON text from a stream.
| An attacker needs to send the victim a crafted file which needs to
| be opened; this triggers the integer underflow vulnerability (when
| the file is parsed), leading to elevation of privilege.

https://github.com/Tencent/rapidjson/pull/1261


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-38517
https://www.cve.org/CVERecord?id=CVE-2024-38517

Please adjust the affected versions in the BTS as needed.

Hello,

Bug #1083185 in rapidjson reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/rapidjson/-/commit/46a631662b10304c0dca45a98f86636babd29116

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1083185

I am uploading the attached changes as NMU.

We believe that the bug you reported is fixed in the latest version of
rapidjson, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1083185@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <bage@debian.org> (supplier of updated rapidjson package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 25 Apr 2025 10:12:00 +0200
Source: rapidjson
Architecture: source
Version: 1.1.0+dfsg2-7.4
Distribution: unstable
Urgency: medium
Maintainer: Alexander GQ Gerasiov <gq@debian.org>
Changed-By: Bastian Germann <bage@debian.org>
Closes: 1083185
Changes:
 rapidjson (1.1.0+dfsg2-7.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2024-38517 with upstream patch. (Closes: #1083185)
Checksums-Sha1:
 8fee8297587bc8f72c6b0e2f0de7e8814d38b718 1850 rapidjson_1.1.0+dfsg2-7.4.dsc
 ca451a5275f747926b6f83905701e430aca4b41b 15808 rapidjson_1.1.0+dfsg2-7.4.debian.tar.xz
 6d7d0d7e0c5c311aa4d8fc5a4916261cd9579078 6766 rapidjson_1.1.0+dfsg2-7.4_source.buildinfo
Checksums-Sha256:
 a4aab52f887f92d81e5fc6880224ae9659318688e18fa69c1f6010d36f304504 1850 rapidjson_1.1.0+dfsg2-7.4.dsc
 cd2f21fd109ffc827d18293ded1ae57bec7d6ff37e25564dfba9a0d9a4c7db6a 15808 rapidjson_1.1.0+dfsg2-7.4.debian.tar.xz
 b1d5dee455e9b6cf88c6bb92a3bf0588235a217e5e74345199427c3dc9655a2f 6766 rapidjson_1.1.0+dfsg2-7.4_source.buildinfo
Files:
 f69563aec8f29b79423d2c82916e1b74 1850 libs optional rapidjson_1.1.0+dfsg2-7.4.dsc
 ec4cc3ddd8bda3c2976d9c1f25869f19 15808 libs optional rapidjson_1.1.0+dfsg2-7.4.debian.tar.xz
 fab25962c0d6491a345bbbf2db5f055b 6766 libs optional rapidjson_1.1.0+dfsg2-7.4_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmgLRBsQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFJSZC/9P3/7WTPIG2CyqigwGfOs/mdZeXzkbc3ex
4pJDTme6LvMjH+6BVVhOqAj3jjbc7LsnKDdjjPkE1gpClyimay0Wjk17lN6xI0Q1
sP3XoBU4wyeLomfZVfs5QGbtdUQvAsxJee9n5tPKWEyC+MMjqU+EczBijhDBn1l1
cnQKLd4Bx+wY5Tfzk/TguylGWJd1kFv55Yf+JhspbiNOH8a0osnGU0J0n2Cd2w4l
RAPdST2qfJc+jTb+IkXVzzwY/i60eTs8GOeVmeFFK9nWNGSLIOUDsFDpv4ODjFGZ
SFPfSSH47wJOieKfOqQbpSkbedi4bsHxSsBI7Ej29JJbFrfqCazxH0yl5vKTeb0c
6bHllnRP5FycZxQtbsex06K/ICBAiqnF3/LckkntqgTRKnoo/nWT0CLm3bD2U1Ps
5Gzvzb5bngmRUispYj+XregAux6dq+LSpCUwzqQzteBlwo0zj9R8aEQtd8rWuM33
lImzzfuMdfOj4eAIjQfTPFZ019QJi7A=
=9iXK
-----END PGP SIGNATURE-----