Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 722150 (CVE-2020-12762) - <dev-libs/json-c-0.14-r2: Multiple vulnerabilities (CVE-2020-12762)
Summary: <dev-libs/json-c-0.14-r2: Multiple vulnerabilities (CVE-2020-12762)
Status: RESOLVED FIXED
Alias: CVE-2020-12762
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/json-c/json-c/pull...
Whiteboard: A3 [glsa+ cve]
Keywords: CC-ARCHES, PullRequest
Depends on: 721388 723232 723294 723480 724358 730420
Blocks:
  Show dependency tree
 
Reported: 2020-05-10 14:39 UTC by Sam James
Modified: 2020-08-31 01:38 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/json-c-0.14-r3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-05-10 14:39:26 UTC
Description:
"json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend."
Comment 1 Sam James gentoo-dev Security 2020-05-12 15:15:58 UTC
@maintainer(s), please apply the provided patch
Comment 2 Jakov Smolic 2020-05-12 15:18:41 UTC
I just did it few minutes ago :) 
Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767
Comment 3 Sam James gentoo-dev Security 2020-05-12 15:19:33 UTC
(In reply to Jakov Smolic from comment #2)
> I just did it few minutes ago :) 
> Here is the opened pull request: https://github.com/gentoo/gentoo/pull/15767

Ah, perfect, the bot hadn't put the link here yet! :)
Comment 4 Larry the Git Cow gentoo-dev 2020-05-14 21:43:44 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff018bc9e26a181b25250edd90192b22736fd02

commit bff018bc9e26a181b25250edd90192b22736fd02
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2020-05-12 14:58:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-14 21:43:36 +0000

    dev-libs/json-c: fix security vulnerabilities
    
    Prevent integer overflow and out of boundary write on malicious input.
    
    Closes: https://bugs.gentoo.org/722150
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
    Closes: https://github.com/gentoo/gentoo/pull/15767
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../json-c/files/json-c-0.14_security-fix.patch    | 155 +++++++++++++++++++++
 dev-libs/json-c/json-c-0.14-r2.ebuild              |  53 +++++++
 2 files changed, 208 insertions(+)
Comment 5 Agostino Sarubbo gentoo-dev 2020-05-15 10:18:56 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-15 10:29:04 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-15 10:30:06 UTC
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-15 10:30:34 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-15 11:46:10 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-15 11:46:50 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-15 11:47:48 UTC
ppc64 stable
Comment 12 David 2020-05-15 11:55:56 UTC
This broke sys-fs/cryptsetup see #723232
Comment 13 Rolf Eike Beer 2020-05-15 19:09:46 UTC
hppa stable
Comment 14 Frank Krömmelbein 2020-05-15 21:24:34 UTC
This broke stable sys-auth/ykpers see #723294
Comment 15 Francois Chenier 2020-05-15 22:21:05 UTC
media-sound/pianobar-2019.02.14 segfault after successful login to Pandora network with that patch. The issue remains there even if I recompile pianobar.

Pianobar just work fine with dev-libs/json-c-0.14-r1
Comment 16 Sam James gentoo-dev Security 2020-05-15 22:42:37 UTC
(In reply to Francois Chenier from comment #15)
> media-sound/pianobar-2019.02.14 segfault after successful login to Pandora
> network with that patch.

Please file a new bug and link it here.
Comment 17 Francois Chenier 2020-05-19 00:19:20 UTC
(In reply to Sam James (sec padawan) from comment #16)
> (In reply to Francois Chenier from comment #15)
> > media-sound/pianobar-2019.02.14 segfault after successful login to Pandora
> > network with that patch.
> 
> Please file a new bug and link it here.

No need to file a bug for pianobar. json-c-0.14-r3 with object-limitation.patch fixed the issue observed.
Comment 18 NATTkA bot gentoo-dev 2020-05-19 10:00:37 UTC
Unable to check for sanity:

> no match for package: dev-libs/json-c-0.14-r2
Comment 19 Sam James gentoo-dev Security 2020-05-20 15:54:03 UTC
arm64 stable.

@maintainer(s), please cleanup
Comment 20 Jakov Smolic 2020-05-20 16:03:30 UTC
I believe @Whissi already did the cleanup
Comment 21 Sam James gentoo-dev Security 2020-05-20 16:04:31 UTC
(In reply to Jakov Smolic from comment #20)
> I believe @Whissi already did the cleanup

That was just for the broken versions (0.14-r1, 0.14-r2), it seems
Comment 22 Jakov Smolic 2020-05-20 16:12:10 UTC
(In reply to Sam James (sec padawan) from comment #21)
> (In reply to Jakov Smolic from comment #20)
> > I believe @Whissi already did the cleanup
> 
> That was just for the broken versions (0.14-r1, 0.14-r2), it seems

Sorry, do you mean by cleanup drop all older verions as well or? :)
Comment 23 Sam James gentoo-dev Security 2020-05-20 16:14:09 UTC
(In reply to Jakov Smolic from comment #22)
> (In reply to Sam James (sec padawan) from comment #21)
> > (In reply to Jakov Smolic from comment #20)
> > > I believe @Whissi already did the cleanup
> > 
> > That was just for the broken versions (0.14-r1, 0.14-r2), it seems
> 
> Sorry, do you mean by cleanup drop all older verions as well or? :)

No need for apologies! I'd rather people ask :)
Yeah, please drop all older versions now because they are vulnerable.
Comment 24 Jakov Smolic 2020-05-20 16:16:14 UTC
(In reply to Sam James (sec padawan) from comment #23)
> (In reply to Jakov Smolic from comment #22)
> > (In reply to Sam James (sec padawan) from comment #21)
> > > (In reply to Jakov Smolic from comment #20)
> > > > I believe @Whissi already did the cleanup
> > > 
> > > That was just for the broken versions (0.14-r1, 0.14-r2), it seems
> > 
> > Sorry, do you mean by cleanup drop all older verions as well or? :)
> 
> No need for apologies! I'd rather people ask :)
> Yeah, please drop all older versions now because they are vulnerable.

Thanks, I like to ask just to make sure :)
Hmm, as I can see right now, net-libs/libhubbub-0.3.5-r1 depends on <dev-libs/json-c-0.13
Comment 25 Jakov Smolic 2020-05-20 19:02:07 UTC
It seems that there are some QA problems due to old ebuils being removed. I've opened up a new keywording request.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:44:50 UTC
This issue was resolved and addressed in
 GLSA 202006-13 at https://security.gentoo.org/glsa/202006-13
by GLSA coordinator Aaron Bauman (b-man).
Comment 27 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-15 15:45:25 UTC
re-opened for cleanup
Comment 28 Larry the Git Cow gentoo-dev 2020-08-30 23:33:54 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64b400382afdbff8b60d4f9726ffd3bcee6e628e

commit 64b400382afdbff8b60d4f9726ffd3bcee6e628e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 23:33:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 23:33:16 +0000

    dev-libs/json-c: security cleanup
    
    Closes: https://bugs.gentoo.org/722150
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/json-c/Manifest                |  2 --
 dev-libs/json-c/json-c-0.12.ebuild      | 40 ------------------------------
 dev-libs/json-c/json-c-0.13.1-r1.ebuild | 43 ---------------------------------
 3 files changed, 85 deletions(-)