Bug#960326: json-c: CVE-2020-12762

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#960326: json-c: CVE-2020-12762
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 May 2020 21:55:12 +0200
Message-id: <[🔎] 158922691202.1456848.14032900298008797019.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 960326@bugs.debian.org

Source: json-c
Version: 0.13.1+dfsg-7
Severity: important
Tags: security upstream
Forwarded: https://github.com/json-c/json-c/pull/592

Hi,

The following vulnerability was published for json-c.

CVE-2020-12762[0]:
| json-c through 0.14 has an integer overflow and out-of-bounds write
| via a large JSON file, as demonstrated by printbuf_memappend.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-12762
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12762
[1] https://github.com/json-c/json-c/pull/592

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#960326: json-c: CVE-2020-12762
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#960322: mdadm: Debian 10.4-kernel 4.19.0-9 update no longer mounting mdadm array at boot
Next by Date: Processing of docbook-dsssl-doc_1.79-7_source.changes
Previous by thread: Bug#960322: marked as done (mdadm: Debian 10.4-kernel 4.19.0-9 update no longer mounting mdadm array at boot)
Next by thread: Bug#960326: json-c: CVE-2020-12762
Index(es):
- Date
- Thread