[Bug 1311397] Re: json-c: CVE-2013-6370 CVE-2013-6371
Thomas D.
whissi at whissi.de
Thu May 29 12:19:36 UTC 2014
libjson0 0.9-1ubuntu1 from Ubuntu-Server 12.04.4 LTS "Precise Pangolin"
is *still* affected by this bug.
OpenSUSE seems to have fixed their json-c v0.9 package. See
https://bugzilla.novell.com/show_bug.cgi?id=870147
Patch:
https://build.opensuse.org/package/view_file/openSUSE:Factory/json-c/json-c-hash-dos-and-overflow-random-seed-4e.patch
** Bug watch added: Novell/SUSE Bugzilla #870147
https://bugzilla.novell.com/show_bug.cgi?id=870147
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to json-c in Ubuntu.
https://bugs.launchpad.net/bugs/1311397
Title:
json-c: CVE-2013-6370 CVE-2013-6371
Status in “json-c” package in Ubuntu:
Fix Released
Status in “json-c” package in Debian:
Fix Released
Bug description:
Imported from Debian bug http://bugs.debian.org/744008:
Source: json-c
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for json-c.
CVE-2013-6370[0]:
buffer overflow if size_t is larger than int
CVE-2013-6371[1]:
hash collision DoS
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
The upstream patch is at [2].
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
https://security-tracker.debian.org/tracker/CVE-2013-6370
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
https://security-tracker.debian.org/tracker/CVE-2013-6371
[2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015
Regards,
Salvatore
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/json-c/+bug/1311397/+subscriptions
More information about the foundations-bugs
mailing list