Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501082 (CVE-2013-6401) - <dev-libs/jansson-2.7: Hash Collisions Denial of Service Vulnerabilities (CVE-2013-6401)
Summary: <dev-libs/jansson-2.7: Hash Collisions Denial of Service Vulnerabilities (CVE...
Alias: CVE-2013-6401
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Blocks: hashDoS 558734
  Show dependency tree
Reported: 2014-02-12 15:31 UTC by Agostino Sarubbo
Modified: 2016-02-25 16:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-12 15:31:14 UTC
From ${URL} :


Some vulnerabilities have been reported in Jansson, which can be exploited by malicious people to cause a 
DoS (Denial of Service) of the application using the library.

The vulnerabilities are caused due to some errors when handling hash tables and can be exploited to 
exhaust CPU resources by sending a specially crafted JSON document containing a large number of parameters 
with names map to the same hash value.

The vulnerabilities are reported in version 2.4. Other versions may also be affected.

Fixed in the source code repository.

Provided and/or discovered by:
Florian Weimer, Red Hat Product Security Team

Original Advisory:
Red Hat:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johan Bergström 2014-02-13 00:16:29 UTC
Jansson 2.6 was out the other day; much because of this bug (well, upstream). Changelog here:

As proxy, I'd recommend a verbump. Rename from 2.5 works fine for me. I'd also back a quick stabilisation round if my co-maintainer is up for it.
Comment 2 Johan Bergström 2014-02-26 07:00:26 UTC
fwiw, verbump bug here:
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 16:21:07 UTC
CVE-2013-6401 (
  Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger
  hash collisions predictably, which allows context-dependent attackers to
  cause a denial of service (CPU consumption) via a crafted JSON document.
Comment 4 SpanKY gentoo-dev 2015-08-26 05:49:32 UTC
we should just stabilize 2.7 now for everyone
Comment 5 Agostino Sarubbo gentoo-dev 2015-08-26 07:14:44 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-08-26 07:15:08 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-27 08:49:33 UTC
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-27 09:28:06 UTC
Stable for PPC64.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-30 11:49:37 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2015-09-01 15:58:30 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:31 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-09-22 09:00:14 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-31 16:23:51 UTC
GLSA Vote: No
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:59:18 UTC
Vote: NO.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-01-26 02:46:22 UTC
It has been 30 days since cleanup was requested.
Maintainer(s), please drop the vulnerable version(s).