Description: "json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend."
@maintainer(s), please apply the provided patch
I just did it few minutes ago :) Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767
(In reply to Jakov Smolic from comment #2) > I just did it few minutes ago :) > Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767 Ah, perfect, the bot hadn't put the link here yet! :)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff018bc9e26a181b25250edd90192b22736fd02 commit bff018bc9e26a181b25250edd90192b22736fd02 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2020-05-12 14:58:39 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-05-14 21:43:36 +0000 dev-libs/json-c: fix security vulnerabilities Prevent integer overflow and out of boundary write on malicious input. Closes: https://bugs.gentoo.org/722150 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> Closes: https://github.com/gentoo/gentoo/pull/15767 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../json-c/files/json-c-0.14_security-fix.patch | 155 +++++++++++++++++++++ dev-libs/json-c/json-c-0.14-r2.ebuild | 53 +++++++ 2 files changed, 208 insertions(+)
x86 stable
amd64 stable
s390 stable
sparc stable
arm stable
ppc stable
ppc64 stable
This broke sys-fs/cryptsetup see #723232
hppa stable
This broke stable sys-auth/ykpers see #723294
media-sound/pianobar-2019.02.14 segfault after successful login to Pandora network with that patch. The issue remains there even if I recompile pianobar. Pianobar just work fine with dev-libs/json-c-0.14-r1
(In reply to Francois Chenier from comment #15) > media-sound/pianobar-2019.02.14 segfault after successful login to Pandora > network with that patch. Please file a new bug and link it here.
(In reply to Sam James (sec padawan) from comment #16) > (In reply to Francois Chenier from comment #15) > > media-sound/pianobar-2019.02.14 segfault after successful login to Pandora > > network with that patch. > > Please file a new bug and link it here. No need to file a bug for pianobar. json-c-0.14-r3 with object-limitation.patch fixed the issue observed.
Unable to check for sanity: > no match for package: dev-libs/json-c-0.14-r2
arm64 stable. @maintainer(s), please cleanup
I believe @Whissi already did the cleanup
(In reply to Jakov Smolic from comment #20) > I believe @Whissi already did the cleanup That was just for the broken versions (0.14-r1, 0.14-r2), it seems
(In reply to Sam James (sec padawan) from comment #21) > (In reply to Jakov Smolic from comment #20) > > I believe @Whissi already did the cleanup > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems Sorry, do you mean by cleanup drop all older verions as well or? :)
(In reply to Jakov Smolic from comment #22) > (In reply to Sam James (sec padawan) from comment #21) > > (In reply to Jakov Smolic from comment #20) > > > I believe @Whissi already did the cleanup > > > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems > > Sorry, do you mean by cleanup drop all older verions as well or? :) No need for apologies! I'd rather people ask :) Yeah, please drop all older versions now because they are vulnerable.
(In reply to Sam James (sec padawan) from comment #23) > (In reply to Jakov Smolic from comment #22) > > (In reply to Sam James (sec padawan) from comment #21) > > > (In reply to Jakov Smolic from comment #20) > > > > I believe @Whissi already did the cleanup > > > > > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems > > > > Sorry, do you mean by cleanup drop all older verions as well or? :) > > No need for apologies! I'd rather people ask :) > Yeah, please drop all older versions now because they are vulnerable. Thanks, I like to ask just to make sure :) Hmm, as I can see right now, net-libs/libhubbub-0.3.5-r1 depends on <dev-libs/json-c-0.13
It seems that there are some QA problems due to old ebuils being removed. I've opened up a new keywording request.
This issue was resolved and addressed in GLSA 202006-13 at https://security.gentoo.org/glsa/202006-13 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64b400382afdbff8b60d4f9726ffd3bcee6e628e commit 64b400382afdbff8b60d4f9726ffd3bcee6e628e Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-30 23:33:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-30 23:33:16 +0000 dev-libs/json-c: security cleanup Closes: https://bugs.gentoo.org/722150 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/json-c/Manifest | 2 -- dev-libs/json-c/json-c-0.12.ebuild | 40 ------------------------------ dev-libs/json-c/json-c-0.13.1-r1.ebuild | 43 --------------------------------- 3 files changed, 85 deletions(-)
