[Bug 1311397] Re: json-c: CVE-2013-6370 CVE-2013-6371

Launchpad Bug Tracker 1311397 at bugs.launchpad.net
Sat Apr 26 06:19:54 UTC 2014 

This bug was fixed in the package json-c - 0.11-4ubuntu1

---------------
json-c (0.11-4ubuntu1) utopic; urgency=medium

  * SECURITY UPDATE: denial of service via hash collision (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to enable hash randomization.
    - CVE-2013-6371
  * SECURITY UPDATE: denial of service via buffer overflow (LP: #1311397)
    - debian/patches/0001-Patch-to-address-the-following-issues.patch:
    Upstream patch to guard against negative and maximum buffer sizes.
    - CVE-2013-6370

json-c (0.11-4) unstable; urgency=low

  * Add upstream patch to fix two security vulnerabilities (Closes: #744008)
    + [CVE-2013-6371]: hash collision denial of service
    + [CVE-2013-6370]: buffer overflow if size_t is larger than int
 -- Dimitri John Ledkov <xnox at ubuntu.com>   Wed, 23 Apr 2014 01:12:44 +0100

** Changed in: json-c (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to json-c in Ubuntu.
https://bugs.launchpad.net/bugs/1311397

Title:
  json-c: CVE-2013-6370 CVE-2013-6371

Status in “json-c” package in Ubuntu:
  Fix Released
Status in “json-c” source package in Precise:
  New
Status in “json-c” source package in Quantal:
  New
Status in “json-c” source package in Saucy:
  New
Status in “json-c” source package in Trusty:
  In Progress
Status in “json-c” package in Debian:
  Fix Released

Bug description:
  Imported from Debian bug http://bugs.debian.org/744008:

  Source: json-c
  Severity: important
  Tags: security upstream fixed-upstream

  Hi,

  the following vulnerabilities were published for json-c.

  CVE-2013-6370[0]:
  buffer overflow if size_t is larger than int

  CVE-2013-6371[1]:
  hash collision DoS

  If you fix the vulnerabilities please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

  The upstream patch is at [2].

  For further information see:

  [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
      https://security-tracker.debian.org/tracker/CVE-2013-6370
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
      https://security-tracker.debian.org/tracker/CVE-2013-6371
  [2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015

  Regards,
  Salvatore

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/json-c/+bug/1311397/+subscriptions

More information about the foundations-bugs mailing list