Summary: | <dev-libs/json-c-0.12 : hash collision DoS and buffer overflow (CVE-2013-{6370,6371}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | ganastasiouGR, hwoarang, pgsql-bugs | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.openwall.com/lists/oss-security/2014/04/09/9 | ||||||
Whiteboard: | B3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 588434 | ||||||
Bug Blocks: | 396397 | ||||||
Attachments: |
|
Description
Agostino Sarubbo
2014-04-09 08:37:09 UTC
I just pushed 0.12 which fixes the problem. Please wait for a proper rdep test before you stabilize it Created attachment 374996 [details]
rsyslog cannot be built using json-c-0.12
Please check if you have the same build errors for rsyslog, because using json-c-0.11-r1 i don't have any errors.
(In reply to shad0VV from comment #2) > Created attachment 374996 [details] > rsyslog cannot be built using json-c-0.12 > > Please check if you have the same build errors for rsyslog, because using > json-c-0.11-r1 i don't have any errors. You need to open a separate bug. This one is for tracking the json-c security problem CVE-2013-6371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6371): The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. CVE-2013-6370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6370): Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors. @maintainer, can we proceed with a stabilization request? @maintainer, any reason this is still in a waiting status? Please let us know if we can call for stabilization, thanks. maintainer timeout. Calling for stabilization: =dev-libs/json-c-0.12 amd64 stable Stable for HPPA PPC64. ppc stable arm stable x86 stable alpha stable @arches, please finalize stabilization. sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. equery d -a dev-libs/json-c * These packages depend on dev-libs/json-c: dev-db/postgis-2.1.1 (<dev-libs/json-c-0.11) @pgsql, can we request stabilization on >dev-db/postgis-2.1.1 in another bug? |