Ubuntu
json-c package

json-c: CVE-2013-6370 CVE-2013-6371

Bug #1311397 reported by Dimitri John Ledkov
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
json-c (Debian)
Fix Released
Unknown
json-c (Ubuntu)
Fix Released
Undecided
Dimitri John Ledkov

Bug Description

Imported from Debian bug http://bugs.debian.org/744008:

Source: json-c
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for json-c.

CVE-2013-6370[0]:
buffer overflow if size_t is larger than int

CVE-2013-6371[1]:
hash collision DoS

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

The upstream patch is at [2].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
    https://security-tracker.debian.org/tracker/CVE-2013-6370
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
    https://security-tracker.debian.org/tracker/CVE-2013-6371
[2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015

Regards,
Salvatore

Bug Watch Updater (bug-watch-updater)
Changed in json-c (Debian):
importance: Undecided → Unknown
status: New → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Changed in json-c (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Patch for trusty is attached, using such a version number since u-series are not open yet.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Upstart test-suite passes.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package json-c - 0.11-4ubuntu1

---------------
json-c (0.11-4ubuntu1) utopic; urgency=medium

  * SECURITY UPDATE: denial of service via hash collision (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to enable hash randomization.
    - CVE-2013-6371
  * SECURITY UPDATE: denial of service via buffer overflow (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to guard against negative and maximum buffer sizes.
    - CVE-2013-6370

json-c (0.11-4) unstable; urgency=low

  * Add upstream patch to fix two security vulnerabilities (Closes: #744008)
    + [CVE-2013-6371]: hash collision denial of service
    + [CVE-2013-6370]: buffer overflow if size_t is larger than int
 -- Dimitri John Ledkov <email address hidden> Wed, 23 Apr 2014 01:12:44 +0100

Changed in json-c (Ubuntu):
status: In Progress → Fix Released
Dimitri John Ledkov (xnox)
Changed in json-c (Ubuntu Trusty):
assignee: Dimitri John Ledkov (xnox) → nobody
status: In Progress → New
Dimitri John Ledkov (xnox)
no longer affects: json-c (Ubuntu Precise)
no longer affects: json-c (Ubuntu Quantal)
no longer affects: json-c (Ubuntu Saucy)
no longer affects: json-c (Ubuntu Trusty)
Revision history for this message
Thomas Deutschmann (whissi) wrote :

libjson0 0.9-1ubuntu1 from Ubuntu-Server 12.04.4 LTS "Precise Pangolin" is *still* affected by this bug.

OpenSUSE seems to have fixed their json-c v0.9 package. See https://bugzilla.novell.com/show_bug.cgi?id=870147

Patch:
https://build.opensuse.org/package/view_file/openSUSE:Factory/json-c/json-c-hash-dos-and-overflow-random-seed-4e.patch

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.