Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

json: CVE-2019-11834 CVE-2019-11835

Related Vulnerabilities: CVE-2019-11834   CVE-2019-11835  

Source

Debian Bug report logs - #928726
json: CVE-2019-11834 CVE-2019-11835

version graph

Package: src:cjson; Maintainer for src:cjson is Yanhao Mo <yanhaocs@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 9 May 2019 18:03:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version cjson/1.7.10-1

Fixed in version cjson/1.7.10-1.1

Done: Gordon Ball <gordon@chronitis.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Yanhao Mo <yanhaocs@gmail.com>:
Bug#928726; Package src:cjson. (Thu, 09 May 2019 18:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Yanhao Mo <yanhaocs@gmail.com>. (Thu, 09 May 2019 18:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: json: CVE-2019-11834 CVE-2019-11835
Date: Thu, 09 May 2019 19:59:32 +0200
Source: cjson
Version: 1.7.10-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

The following vulnerabilities were published for cjson.

CVE-2019-11834[0]:
| cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a
| string literal.


CVE-2019-11835[1]:
| cJSON before 1.7.11 allows out-of-bounds access, related to multiline
| comments.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11834
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11834
    https://github.com/DaveGamble/cJSON/issues/337
[1] https://security-tracker.debian.org/tracker/CVE-2019-11835
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11835
    https://github.com/DaveGamble/cJSON/issues/338

Regards,
Salvatore

Reply sent to Gordon Ball <gordon@chronitis.net>:
You have taken responsibility. (Thu, 16 May 2019 01:06:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 16 May 2019 01:06:04 GMT) (full text, mbox, link).

Message #10 received at 928726-close@bugs.debian.org (full text, mbox, reply):

From: Gordon Ball <gordon@chronitis.net>
To: 928726-close@bugs.debian.org
Subject: Bug#928726: fixed in cjson 1.7.10-1.1
Date: Thu, 16 May 2019 01:03:36 +0000
Source: cjson
Source-Version: 1.7.10-1.1

We believe that the bug you reported is fixed in the latest version of
cjson, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gordon Ball <gordon@chronitis.net> (supplier of updated cjson package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 14 May 2019 08:52:20 +0000
Source: cjson
Binary: libcjson-dev libcjson1 libcjson1-dbgsym
Architecture: source amd64
Version: 1.7.10-1.1
Distribution: unstable
Urgency: medium
Maintainer: Yanhao Mo <yanhaocs@gmail.com>
Changed-By: Gordon Ball <gordon@chronitis.net>
Description:
 libcjson-dev - Ultralightweight JSON parser in ANSI C (development files)
 libcjson1  - Ultralightweight JSON parser in ANSI C
Closes: 928726
Changes:
 cjson (1.7.10-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Cherry pick upstream commit a43fa56a63920343d0ac8f8e73a6b0447867f459,
     which contains fixes for CVEs (Closes: #928726)
     + CVE-2019-11834
     + CVE-2019-11835
Checksums-Sha1:
 e318dff02d0c4c087e04b7d78d12e703a4f53657 1910 cjson_1.7.10-1.1.dsc
 c0ff23a085e66de4eb04970d0859985db8c68916 5424 cjson_1.7.10-1.1.debian.tar.xz
 1cc270b31b9e41845e657e6dfcb05060900a261c 6791 cjson_1.7.10-1.1_amd64.buildinfo
 1c16c35727c2c876083ba2929a180b4f43ff367f 22156 libcjson-dev_1.7.10-1.1_amd64.deb
 5e1b27bda1363c1ab8d1efb320602e91df2140ff 30576 libcjson1-dbgsym_1.7.10-1.1_amd64.deb
 039383eb0827622458036ff3d08120fe9526141a 20552 libcjson1_1.7.10-1.1_amd64.deb
Checksums-Sha256:
 b1817b30c0992441065d838d1e3c35ea2b6cca4c7b70a4f16511ab623d38ab2f 1910 cjson_1.7.10-1.1.dsc
 81d5ca5e56d0e1427bb643d7334696c1a0621dc40ececde79dfd6676bf3aed06 5424 cjson_1.7.10-1.1.debian.tar.xz
 7fbe2dfdfd6f82cd8664795f133686224c5d2ca0adf3caaddcf05e071939c582 6791 cjson_1.7.10-1.1_amd64.buildinfo
 688837012daa563932fdb22ebe14917f40c67904c2f7eacc6f824a9f8330bca1 22156 libcjson-dev_1.7.10-1.1_amd64.deb
 2f422dafb966d2d347a89d5746977c88bdce15b27336c81a790a4e22fb0721d9 30576 libcjson1-dbgsym_1.7.10-1.1_amd64.deb
 d41ba630a26f1bd33eb4ed63e841d95ebfdf8182e9297f5f0d44e61becf05f5a 20552 libcjson1_1.7.10-1.1_amd64.deb
Files:
 d1a19ba45aa9c1e6ffffc582bbb2113b 1910 libs optional cjson_1.7.10-1.1.dsc
 4cabfba60e9bbec2dcae53895383b1e9 5424 libs optional cjson_1.7.10-1.1.debian.tar.xz
 543c5170f0a9e1b16df994d1d5e68e82 6791 libs optional cjson_1.7.10-1.1_amd64.buildinfo
 cd34a8e0ae8e0bebb2f57385588c3462 22156 libdevel optional libcjson-dev_1.7.10-1.1_amd64.deb
 5246380ebd95acdb59f1972c696639cf 30576 debug optional libcjson1-dbgsym_1.7.10-1.1_amd64.deb
 bd6332f2a5fb1c0592dcf1ae1bffb289 20552 libs optional libcjson1_1.7.10-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEb9bJQfCTGv6uM2+ujv2XAviIsq4FAlzcsWITHHlhbmhhb2Nz
QGdtYWlsLmNvbQAKCRCO/ZcC+Iiyrt45EACS4S77kGDSdyHk/qQv470/mQ+LVYza
YLrmV1bIChEueKRS9PHkT577Y9ZL6IjT0BbZIKYQ3x9piUd3ltYuZjpdYCOhYUqs
tCh5a+NIvGKb+g+gd0Y+bCtyjCELmLi7jyx3ExQN0az5AqsIKZXBfwuUNdBFBd8m
gVlvgbM/qTP9PIRrriINhjuzf6Pa1CtTh47IVumSxXbrlICm38UjFz1fZakBAr2H
B8U5S7V5T4Va70H0QOW7aXD0RKSAiLcuS7TuawtvEsaZ+12gAZxNWiwvwuxhf24N
oPruk+sIp45YLiCQ6BK2Yk32kQgQm3gTx7LgvombAqzZcU4qY3JMEjtifX2ZHSNF
85wkL/vFCO5XPUf8kmgbl214ZqPB1/w59PbIIdL9/kbC6OcEhETP4KGisNthPlPM
YJpVp1ffCSzaVI3jyiet1uLnxxsO4gnh0vB5HhI19R49gSY7zFN4cI6z0J1ITuoM
xjWOj3/Cf2NnVRS7R1rp7BjJ+ZhWbFoUV2B+qQ4bU7O+Aq+vQXQHXaf1c8i9EMG1
i5xlpoaeSer7Ca1TzVIZrkJ7M3R5RjgvW9vC2qRkD4ydo1S+SKmh+MjSZwy+YwNE
wV9EAaaATt/ClAGPb58GvPJX/m2h4/96FgCCX4v0qkCd3cLkpunQjxjFLqqUqPgW
I3Fd2SNYyI83iA==
=E8DZ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 18 Jun 2019 07:26:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:21:52 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started