Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507218 (CVE-2013-6370) - <dev-libs/json-c-0.12 : hash collision DoS and buffer overflow (CVE-2013-{6370,6371})
Summary: <dev-libs/json-c-0.12 : hash collision DoS and buffer overflow (CVE-2013-{637...
Status: RESOLVED FIXED
Alias: CVE-2013-6370
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 588434
Blocks: hashDoS
  Show dependency tree
 
Reported: 2014-04-09 08:37 UTC by Agostino Sarubbo
Modified: 2016-11-20 22:58 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
rsyslog cannot be built using json-c-0.12 (rsyslog.build.log,124.85 KB, text/x-log)
2014-04-15 13:13 UTC, shad0VV
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-09 08:37:09 UTC
From ${URL} :

Florian Weimer of the Red Hat Product Security Team discovered two flaws
in json-c, details as follows:

1.  CVE-2013-6371 json-c: hash collision DoS

The hash function in the json-c library was weak, and that parsing
smallish JSON strings showed quadratic timing behaviour.  This could
cause an application linked to the json-c library, and that processes
some specially-crafted JSON data, to use excessive amounts of CPU.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1032311

2. CVE-2013-6370 json-c: buffer overflow if size_t is larger than int

The printbuf APIs used in the json-c library used ints for counting
buffer lengths, which is inappropriate for 32bit architectures.  These
functions need to be changed to using size_t if possible for sizes, or
to be hardened against negative values if not.  This could be used to
cause a denial of service in an application linked to the json-c library.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1032322


Both these issues are fixed via the following upstream commit:
https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2014-04-12 15:42:22 UTC
I just pushed 0.12 which fixes the problem. Please wait for a proper rdep test before you stabilize it
Comment 2 shad0VV 2014-04-15 13:13:13 UTC
Created attachment 374996 [details]
rsyslog cannot be built using json-c-0.12

Please check if you have the same build errors for rsyslog, because using json-c-0.11-r1 i don't have any errors.
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2014-04-16 18:50:59 UTC
(In reply to shad0VV from comment #2)
> Created attachment 374996 [details]
> rsyslog cannot be built using json-c-0.12
> 
> Please check if you have the same build errors for rsyslog, because using
> json-c-0.11-r1 i don't have any errors.

You need to open a separate bug. This one is for tracking the json-c security problem
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:33:19 UTC
CVE-2013-6371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6371):
  The hash functionality in json-c before 0.12 allows context-dependent
  attackers to cause a denial of service (CPU consumption) via crafted JSON
  data, involving collisions.

CVE-2013-6370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6370):
  Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote
  attackers to cause a denial of service via unspecified vectors.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 12:36:27 UTC
@maintainer, can we proceed with a stabilization request?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-14 13:25:32 UTC
@maintainer, any reason this is still in a waiting status?  Please let us know if we can call for stabilization, thanks.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 10:25:48 UTC
maintainer timeout.  Calling for stabilization:

=dev-libs/json-c-0.12
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-22 14:34:00 UTC
amd64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-26 09:09:55 UTC
Stable for HPPA PPC64.
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-27 10:16:29 UTC
ppc stable
Comment 11 Markus Meier gentoo-dev 2016-03-30 18:28:41 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-04-11 10:39:34 UTC
x86 stable
Comment 13 Matt Turner gentoo-dev 2016-05-02 04:02:09 UTC
alpha stable
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-06-06 12:01:35 UTC
@arches, please finalize stabilization.
Comment 15 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:15 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:25 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 02:41:41 UTC
equery d -a dev-libs/json-c
 * These packages depend on dev-libs/json-c:

dev-db/postgis-2.1.1 (<dev-libs/json-c-0.11)

@pgsql, can we request stabilization on >dev-db/postgis-2.1.1 in another bug?