From ${URL} : Florian Weimer of the Red Hat Product Security Team discovered two flaws in json-c, details as follows: 1. CVE-2013-6371 json-c: hash collision DoS The hash function in the json-c library was weak, and that parsing smallish JSON strings showed quadratic timing behaviour. This could cause an application linked to the json-c library, and that processes some specially-crafted JSON data, to use excessive amounts of CPU. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1032311 2. CVE-2013-6370 json-c: buffer overflow if size_t is larger than int The printbuf APIs used in the json-c library used ints for counting buffer lengths, which is inappropriate for 32bit architectures. These functions need to be changed to using size_t if possible for sizes, or to be hardened against negative values if not. This could be used to cause a denial of service in an application linked to the json-c library. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1032322 Both these issues are fixed via the following upstream commit: https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I just pushed 0.12 which fixes the problem. Please wait for a proper rdep test before you stabilize it
Created attachment 374996 [details] rsyslog cannot be built using json-c-0.12 Please check if you have the same build errors for rsyslog, because using json-c-0.11-r1 i don't have any errors.
(In reply to shad0VV from comment #2) > Created attachment 374996 [details] > rsyslog cannot be built using json-c-0.12 > > Please check if you have the same build errors for rsyslog, because using > json-c-0.11-r1 i don't have any errors. You need to open a separate bug. This one is for tracking the json-c security problem
CVE-2013-6371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6371): The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. CVE-2013-6370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6370): Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.
@maintainer, can we proceed with a stabilization request?
@maintainer, any reason this is still in a waiting status? Please let us know if we can call for stabilization, thanks.
maintainer timeout. Calling for stabilization: =dev-libs/json-c-0.12
amd64 stable
Stable for HPPA PPC64.
ppc stable
arm stable
x86 stable
alpha stable
@arches, please finalize stabilization.
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
equery d -a dev-libs/json-c * These packages depend on dev-libs/json-c: dev-db/postgis-2.1.1 (<dev-libs/json-c-0.11) @pgsql, can we request stabilization on >dev-db/postgis-2.1.1 in another bug?
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfcb09082b4ae82718194dbf77a13fbf8eaa0bb4 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5693aae353fabcf5a12bca571dcc8e249dad1260 GLSA Vote: No