New comment by rmccask on void-packages repository https://github.com/void-linux/void-packages/pull/22472#issuecomment-636538291 Comment: The patch, 2-json-c-0.14-security-fix.patch, that I copied from Gentoo fixes the CVE already. It is almost exactly like the patch committed upstream.