Summary: | <net-misc/iperf-{3.0.12,3.1.3} - crash/remote code execution through malformed JSON command (CVE-2016-4303) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/esnet/iperf/blob/master/docs/news.rst | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2016-06-10 05:41:31 UTC
amd64 stable Stable for HPPA PPC64. x86 stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. CVE-2016-4303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4303): The parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow. As commented by upstream the ACE is theoretical. No PoC here. Lowering severity. Tree has been cleaned for some time. |