Summary: | <dev-libs/json-c-0.14-r2: Multiple vulnerabilities (CVE-2020-12762) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jsmolic, luka.perkov |
Priority: | Normal | Keywords: | CC-ARCHES, PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/json-c/json-c/pull/592 | ||
See Also: |
https://github.com/gentoo/gentoo/pull/15767 https://github.com/gentoo/gentoo/pull/15894 |
||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-libs/json-c-0.14-r3
|
Runtime testing required: | --- |
Bug Depends on: | 721388, 723232, 723294, 723480, 724358, 730420 | ||
Bug Blocks: |
Description
Sam James
2020-05-10 14:39:26 UTC
@maintainer(s), please apply the provided patch I just did it few minutes ago :) Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767 (In reply to Jakov Smolic from comment #2) > I just did it few minutes ago :) > Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767 Ah, perfect, the bot hadn't put the link here yet! :) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff018bc9e26a181b25250edd90192b22736fd02 commit bff018bc9e26a181b25250edd90192b22736fd02 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2020-05-12 14:58:39 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-05-14 21:43:36 +0000 dev-libs/json-c: fix security vulnerabilities Prevent integer overflow and out of boundary write on malicious input. Closes: https://bugs.gentoo.org/722150 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> Closes: https://github.com/gentoo/gentoo/pull/15767 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../json-c/files/json-c-0.14_security-fix.patch | 155 +++++++++++++++++++++ dev-libs/json-c/json-c-0.14-r2.ebuild | 53 +++++++ 2 files changed, 208 insertions(+) x86 stable amd64 stable s390 stable sparc stable arm stable ppc stable ppc64 stable This broke sys-fs/cryptsetup see #723232 hppa stable This broke stable sys-auth/ykpers see #723294 media-sound/pianobar-2019.02.14 segfault after successful login to Pandora network with that patch. The issue remains there even if I recompile pianobar. Pianobar just work fine with dev-libs/json-c-0.14-r1 (In reply to Francois Chenier from comment #15) > media-sound/pianobar-2019.02.14 segfault after successful login to Pandora > network with that patch. Please file a new bug and link it here. (In reply to Sam James (sec padawan) from comment #16) > (In reply to Francois Chenier from comment #15) > > media-sound/pianobar-2019.02.14 segfault after successful login to Pandora > > network with that patch. > > Please file a new bug and link it here. No need to file a bug for pianobar. json-c-0.14-r3 with object-limitation.patch fixed the issue observed. Unable to check for sanity:
> no match for package: dev-libs/json-c-0.14-r2
arm64 stable. @maintainer(s), please cleanup I believe @Whissi already did the cleanup (In reply to Jakov Smolic from comment #20) > I believe @Whissi already did the cleanup That was just for the broken versions (0.14-r1, 0.14-r2), it seems (In reply to Sam James (sec padawan) from comment #21) > (In reply to Jakov Smolic from comment #20) > > I believe @Whissi already did the cleanup > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems Sorry, do you mean by cleanup drop all older verions as well or? :) (In reply to Jakov Smolic from comment #22) > (In reply to Sam James (sec padawan) from comment #21) > > (In reply to Jakov Smolic from comment #20) > > > I believe @Whissi already did the cleanup > > > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems > > Sorry, do you mean by cleanup drop all older verions as well or? :) No need for apologies! I'd rather people ask :) Yeah, please drop all older versions now because they are vulnerable. (In reply to Sam James (sec padawan) from comment #23) > (In reply to Jakov Smolic from comment #22) > > (In reply to Sam James (sec padawan) from comment #21) > > > (In reply to Jakov Smolic from comment #20) > > > > I believe @Whissi already did the cleanup > > > > > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems > > > > Sorry, do you mean by cleanup drop all older verions as well or? :) > > No need for apologies! I'd rather people ask :) > Yeah, please drop all older versions now because they are vulnerable. Thanks, I like to ask just to make sure :) Hmm, as I can see right now, net-libs/libhubbub-0.3.5-r1 depends on <dev-libs/json-c-0.13 It seems that there are some QA problems due to old ebuils being removed. I've opened up a new keywording request. This issue was resolved and addressed in GLSA 202006-13 at https://security.gentoo.org/glsa/202006-13 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64b400382afdbff8b60d4f9726ffd3bcee6e628e commit 64b400382afdbff8b60d4f9726ffd3bcee6e628e Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-30 23:33:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-30 23:33:16 +0000 dev-libs/json-c: security cleanup Closes: https://bugs.gentoo.org/722150 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/json-c/Manifest | 2 -- dev-libs/json-c/json-c-0.12.ebuild | 40 ------------------------------ dev-libs/json-c/json-c-0.13.1-r1.ebuild | 43 --------------------------------- 3 files changed, 85 deletions(-) |