Debian Bug report logs -
#823238
jansson: CVE-2016-4425: stack exhaustion parsing a JSON file
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 2 May 2016 15:45:14 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions jansson/2.7-1, jansson/2.3.1-2
Fixed in versions jansson/2.3.1-2+deb7u1, jansson/2.7-5, jansson/2.7-1+deb8u1
Done: Alessandro Ghedini <ghedo@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/akheron/jansson/issues/282
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#823238; Package src:jansson.
(Mon, 02 May 2016 15:45:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Mon, 02 May 2016 15:45:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jansson
Version: 2.7-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/akheron/jansson/issues/282
Hi,
the following vulnerability was published for jansson.
CVE-2016-4425[0]:
stack exhaustion parsing a JSON file
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4425
[1] https://github.com/akheron/jansson/issues/282
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 05 May 2016 17:57:04 GMT) (full text, mbox, link).
Marked as found in versions jansson/2.3.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 May 2016 19:39:06 GMT) (full text, mbox, link).
Marked as fixed in versions jansson/2.3.1-2+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 May 2016 19:39:07 GMT) (full text, mbox, link).
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Sat, 14 May 2016 16:21:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 14 May 2016 16:21:28 GMT) (full text, mbox, link).
Message #16 received at 823238-close@bugs.debian.org (full text, mbox, reply):
Source: jansson
Source-Version: 2.7-5
We believe that the bug you reported is fixed in the latest version of
jansson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823238@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated jansson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 May 2016 16:45:26 +0100
Source: jansson
Binary: libjansson4 libjansson-dev libjansson-doc
Architecture: source amd64 all
Version: 2.7-5
Distribution: unstable
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
libjansson-dev - C library for encoding, decoding and manipulating JSON data (dev)
libjansson-doc - C library for encoding, decoding and manipulating JSON data (doc)
libjansson4 - C library for encoding, decoding and manipulating JSON data
Closes: 823238
Changes:
jansson (2.7-5) unstable; urgency=high
.
* Bump Standards-Version to 3.9.8 (no changes needed)
* Fix stack exhaustion when parsing JSON as per CVE-2016-4425
(Closes: #823238)
Checksums-Sha1:
fc9c6ec19d590be7a11ca10af22405d42e13b10e 2000 jansson_2.7-5.dsc
7950c7e1578efaecd1eada8a4df4f1b5e518a149 5536 jansson_2.7-5.debian.tar.xz
82d41c79db5d5b6965fd51bb7d78030aa9288776 28748 libjansson-dev_2.7-5_amd64.deb
945c78ffe8f6f659b1bff019304d1c1770cf7485 71924 libjansson-doc_2.7-5_all.deb
021a4b2d6e649aa38b409c746c9e8d0d9fca23c8 54454 libjansson4-dbgsym_2.7-5_amd64.deb
60baf73e1566f578210a37a520a05d57e90ae7d3 27840 libjansson4_2.7-5_amd64.deb
Checksums-Sha256:
d89013302986f3acf3e90230b3bae0b34a537a5335fef825ee28619a32815f90 2000 jansson_2.7-5.dsc
a918640b891e26ace3fa30a0d4ebac8e6c77db24709d6c1cac1d1d0a45589d66 5536 jansson_2.7-5.debian.tar.xz
0ec703b93eac5dbddbc898204412e45c61de1f77fb0efee5171f53e6c08fbba5 28748 libjansson-dev_2.7-5_amd64.deb
58f113627664466d6be0706b2df61ab2465278ba0aa40b205b1cc71d291e3046 71924 libjansson-doc_2.7-5_all.deb
ce742c817954e2c768e55950f391ce9c25db15eb434bdab7f34356f700e7ea81 54454 libjansson4-dbgsym_2.7-5_amd64.deb
91a788b637a60d526b254333e8375fca96701a79a1e84e7cbef2fa2338183d5c 27840 libjansson4_2.7-5_amd64.deb
Files:
d9e95903ef862f86abd7ad106a1baa84 2000 libs optional jansson_2.7-5.dsc
2f9db1ccfa8bbab89a68f050b368e4a4 5536 libs optional jansson_2.7-5.debian.tar.xz
c880115a8882f25f0030d00780a4d467 28748 libdevel optional libjansson-dev_2.7-5_amd64.deb
2eaeb76a29b504528a4026313fbbf380 71924 doc optional libjansson-doc_2.7-5_all.deb
c5d90d0964e3e56ae6387e8d90e88310 54454 debug extra libjansson4-dbgsym_2.7-5_amd64.deb
c0bfce79761cc0ba769936eadd477686 27840 libs optional libjansson4_2.7-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXN0k2AAoJEK+lG9bN5XPLqQcP/2mgCPVCHaIyiCkOueVjNjZ9
M1lGkrj+A9Xx7mEZegTiOzMV7Poo1AiGPpsNMDSOIJG70wVFMI7fD5WvmbeJPAoc
pzvv7EV4e2cr1jsm8PJLzwYM2RwKd4rCh09utmIgKFhc8ZWR4bkM0DcWOMJE7RnR
nPyqdJ+rc62aXNCKJUHo28nk//QPrnBhYijSEPLpSFQnV32bk08st8i9kQe9pvH2
8+ut7OB2WMnlG1sl2r3TntXVOr8qTo8ax8mX56K83/9BScpEN56Od3LgB2y9ldw2
zkJLH8DbpzVRHsrGpl4C/6Rs+HAorZei3uGmVtRLwEVxnwP0mEKhI2GZXYWZKvrJ
hGztBFjRavXsqPJ8a7r8sLLYoX9tUK+uFVo5PxW8B3XrBwhsWBm+3tAji3l2CZ6H
RLRusniCZzOoWhYhkA6168CCaA4LMO5hsJgKAk/XPf0GeT2HQVlyIoIpjRMwsNu0
aLjkaPcYRph4Dq3zK4o7pR/C8HP0qtxaW/eH2Jl2A+qaqYfnvC7Tufprb/5MmJWU
OzhJJ3Ko0l4sOBS346sYxYQE/CAaLexBfLgeqVdfhITzTegAEH6pvrJFH+/ndmUO
Z3lx1se439GYwppsuqo/ueeDIp65teLwgdKi4krf5R7Xi1tRtyiva02l2RT9bgRb
Tsscu97MpPzbocZVtOKE
=jtcG
-----END PGP SIGNATURE-----
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Wed, 18 May 2016 21:51:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 18 May 2016 21:51:12 GMT) (full text, mbox, link).
Message #21 received at 823238-close@bugs.debian.org (full text, mbox, reply):
Source: jansson
Source-Version: 2.7-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
jansson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823238@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated jansson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 May 2016 16:34:22 +0100
Source: jansson
Binary: libjansson4 libjansson-dev libjansson-doc libjansson-dbg
Architecture: source amd64 all
Version: 2.7-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
libjansson-dbg - C library for encoding, decoding and manipulating JSON data (debu
libjansson-dev - C library for encoding, decoding and manipulating JSON data (dev)
libjansson-doc - C library for encoding, decoding and manipulating JSON data (doc)
libjansson4 - C library for encoding, decoding and manipulating JSON data
Closes: 823238
Changes:
jansson (2.7-1+deb8u1) jessie-security; urgency=high
.
* Fix stack exhaustion when parsing JSON as per CVE-2016-4425
(Closes: #823238)
Checksums-Sha1:
bfed1cbaf567fe9f1b65f278d2db0dd437bf65ce 2078 jansson_2.7-1+deb8u1.dsc
7d8686d84fd46c7c28d70bf2d5e8961bc002845e 445179 jansson_2.7.orig.tar.gz
f653c0af7c2c6c2dfc9bec5c0087462378a00ae1 5452 jansson_2.7-1+deb8u1.debian.tar.xz
66cdacd4907c5e4522207335cfaf9e4f75f04132 34110 libjansson4_2.7-1+deb8u1_amd64.deb
86fce636b618f549e297beb8609852d2e6b582cb 34900 libjansson-dev_2.7-1+deb8u1_amd64.deb
e9b959c2c1aabe9f4d28e91c8f704d665ac396de 92958 libjansson-doc_2.7-1+deb8u1_all.deb
03881ff13085b6698fe8a19d41bd9e3030aafabc 63252 libjansson-dbg_2.7-1+deb8u1_amd64.deb
Checksums-Sha256:
05aa5879d2dc6509b28bd0a37006a1507fa042405f4e3ed80a5a444d6e04ad57 2078 jansson_2.7-1+deb8u1.dsc
7905e6590fb316c0ff943df3dc6a21cd81a59cff7a6d12514054c359d04d78d7 445179 jansson_2.7.orig.tar.gz
e7cc83501b8d676c7b3438a74848a9488d482184247a5558ddf4dc80dae49988 5452 jansson_2.7-1+deb8u1.debian.tar.xz
d27186d7bf7b7e9641e35e0de754db9bb66f0d1c0aba10390e4e6607786035c6 34110 libjansson4_2.7-1+deb8u1_amd64.deb
fd34950e81d32a816ed243c82f86d5f97c0135f3321cb3667dc36720b060609d 34900 libjansson-dev_2.7-1+deb8u1_amd64.deb
91c7ffc4e79491b373ca3ec697efab49b7759f350e5955841a03ed5bb8a8cbde 92958 libjansson-doc_2.7-1+deb8u1_all.deb
a40c96ec73cb7d5b25b98a9f8c828df5a6f62ccf4c3a7f38489880c773209d0e 63252 libjansson-dbg_2.7-1+deb8u1_amd64.deb
Files:
cde40bbcd2e052bfc7a0b67082458e3f 2078 libs optional jansson_2.7-1+deb8u1.dsc
3a106a465bbb77637550b422f5b262ef 445179 libs optional jansson_2.7.orig.tar.gz
f2c4451452e60c9c21a61336798bc943 5452 libs optional jansson_2.7-1+deb8u1.debian.tar.xz
1f8899aeb360b427719aae29cb4eab0f 34110 libs optional libjansson4_2.7-1+deb8u1_amd64.deb
555704558ee4966c9c621f8cf1e368f9 34900 libdevel optional libjansson-dev_2.7-1+deb8u1_amd64.deb
11a29a43c4ee3e1d643cc18b96b443c7 92958 doc optional libjansson-doc_2.7-1+deb8u1_all.deb
ecaa1564c3b4f3b42ab31773081102f1 63252 debug extra libjansson-dbg_2.7-1+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXN0ZfAAoJEK+lG9bN5XPLy5kP/iIKycj6aMcGOw2Ab2WBlKC3
35O/UuInI6Vzul3qQcWLlVVT1heIBlJJeeRkeSBCetuEc7BF3eUICO1h8X34Cy3j
TuC+hsnY64saKpfsugYwbYrtCk9hgOJq+Kaq0vOEGx0E3ryzPiAb+APc5gBME+sq
l+JVsGFxlt6ZvVx27ZGZYH1j2EoDEwMD5+04yisJP/jA6je8xEsarPH5xFP3s4Fq
+KPv/VR4w5sIGan6K/CS8Z0dLncLMjypGnpGzPbZrqpIkt1rPaNrTn5WJPeFh4Z/
DNVPKUfmQNZQeczohuXYoYIuwKe1JS82mhhU9FTEsvo99x9HrO3XaFQFZGjDNBnf
f/gKVF7HIPGDrYxOOVl6By6aYQa9uClkPlCpzew5g7tq8AqvzfvSjTpPq6HKAdTP
K8BZZGQN2Tuh4NyNILREIMh4CQgPW8t4LZ1BBSCwvuCYFpq7798dX/v15Uzrnsbv
OXabjoYbVhTtTU1i13yJokJZefFkmh46VJeX/0T7Bl5uwRbV7dTQrm83O5kUy1X7
WjGKZpWdxNVrpazHPFGvqrV4cCR5yns1yX8sa9dT7yCMJH1qhnu5YwpKvs8XVaEw
/e5EYvV+B0qzctEv7nP1UrM9Bn5NrjQtWihRdyb3a4w1ufQAHwwyfyA/Njhg3sq/
OIBfwVrlijWcYybOC5ZN
=wvYd
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 Jun 2016 07:30:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon