json-c: CVE-2013-6370 CVE-2013-6371

Bug #1311397 reported by Dimitri John Ledkov on 2014-04-23
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
json-c (Debian)
Fix Released
Unknown
json-c (Ubuntu)
Undecided
Dimitri John Ledkov

Bug Description

Imported from Debian bug http://bugs.debian.org/744008:

Source: json-c
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for json-c.

CVE-2013-6370[0]:
buffer overflow if size_t is larger than int

CVE-2013-6371[1]:
hash collision DoS

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

The upstream patch is at [2].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
    https://security-tracker.debian.org/tracker/CVE-2013-6370
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
    https://security-tracker.debian.org/tracker/CVE-2013-6371
[2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015

Regards,
Salvatore

Changed in json-c (Debian):
importance: Undecided → Unknown
status: New → Fix Released
Dimitri John Ledkov (xnox) wrote :
Changed in json-c (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Dimitri John Ledkov (xnox)
Dimitri John Ledkov (xnox) wrote :

Patch for trusty is attached, using such a version number since u-series are not open yet.

Dimitri John Ledkov (xnox) wrote :

Upstart test-suite passes.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package json-c - 0.11-4ubuntu1

---------------
json-c (0.11-4ubuntu1) utopic; urgency=medium

  * SECURITY UPDATE: denial of service via hash collision (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to enable hash randomization.
    - CVE-2013-6371
  * SECURITY UPDATE: denial of service via buffer overflow (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to guard against negative and maximum buffer sizes.
    - CVE-2013-6370

json-c (0.11-4) unstable; urgency=low

  * Add upstream patch to fix two security vulnerabilities (Closes: #744008)
    + [CVE-2013-6371]: hash collision denial of service
    + [CVE-2013-6370]: buffer overflow if size_t is larger than int
 -- Dimitri John Ledkov <email address hidden> Wed, 23 Apr 2014 01:12:44 +0100

Changed in json-c (Ubuntu):
status: In Progress → Fix Released
Changed in json-c (Ubuntu Trusty):
assignee: Dimitri John Ledkov (xnox) → nobody
status: In Progress → New
no longer affects: json-c (Ubuntu Precise)
no longer affects: json-c (Ubuntu Quantal)
no longer affects: json-c (Ubuntu Saucy)
no longer affects: json-c (Ubuntu Trusty)
Thomas Deutschmann (whissi) wrote :

libjson0 0.9-1ubuntu1 from Ubuntu-Server 12.04.4 LTS "Precise Pangolin" is *still* affected by this bug.

OpenSUSE seems to have fixed their json-c v0.9 package. See https://bugzilla.novell.com/show_bug.cgi?id=870147

Patch:
https://build.opensuse.org/package/view_file/openSUSE:Factory/json-c/json-c-hash-dos-and-overflow-random-seed-4e.patch

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.