Debian Bug report logs -
#744008
json-c: CVE-2013-6370 CVE-2013-6371
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 9 Apr 2014 06:51:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Fixed in version json-c/0.11-4
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, fabien boucher <fabien.dot.boucher@gmail.com>:
Bug#744008; Package src:json-c.
(Wed, 09 Apr 2014 06:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, fabien boucher <fabien.dot.boucher@gmail.com>.
(Wed, 09 Apr 2014 06:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: json-c
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for json-c.
CVE-2013-6370[0]:
buffer overflow if size_t is larger than int
CVE-2013-6371[1]:
hash collision DoS
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
The upstream patch is at [2].
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
https://security-tracker.debian.org/tracker/CVE-2013-6370
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
https://security-tracker.debian.org/tracker/CVE-2013-6371
[2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015
Regards,
Salvatore
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Thu, 17 Apr 2014 10:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 Apr 2014 10:51:05 GMT) (full text, mbox, link).
Message #10 received at 744008-close@bugs.debian.org (full text, mbox, reply):
Source: json-c
Source-Version: 0.11-4
We believe that the bug you reported is fixed in the latest version of
json-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated json-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 Apr 2014 12:02:59 +0200
Source: json-c
Binary: libjson-c2 libjson-c-dev libjson-c2-dbg libjson-c-doc libjson0-dev libjson0
Architecture: source amd64 all
Version: 0.11-4
Distribution: unstable
Urgency: high
Maintainer: fabien boucher <fabien.dot.boucher@gmail.com>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
libjson-c-dev - JSON manipulation library - development files
libjson-c-doc - JSON manipulation library - documentation files
libjson-c2 - JSON manipulation library - shared library
libjson-c2-dbg - JSON manipulation library - debug symbols
libjson0 - JSON manipulation library (transitional package)
libjson0-dev - JSON manipulation library (transitional package)
Closes: 744008
Changes:
json-c (0.11-4) unstable; urgency=low
.
* Add upstream patch to fix two security vulnerabilitiesa (Closes: #744008)
+ [CVE-2013-6371]: hash collision denial of service
+ [CVE-2013-6370]: buffer overflow if size_t is larger than int
Checksums-Sha1:
ec1515cd062912b4488460027b9c250330c601cb 2139 json-c_0.11-4.dsc
719698039456fde27481cba828330bbd4c211a66 272656 json-c_0.11-4.debian.tar.xz
83cb26cec3758a6dce8af0bb782234b7f08bbb92 24818 libjson-c2_0.11-4_amd64.deb
b983ef61b1f8f2ef924efd5e3562bb58f21a78ae 35064 libjson-c-dev_0.11-4_amd64.deb
79f2a84225a667f15ec0ec7e61ab75ab087cfa2f 41662 libjson-c2-dbg_0.11-4_amd64.deb
60d4712634faf9e5a14ddf68a04e1bf887aac1e6 18654 libjson-c-doc_0.11-4_all.deb
bb06cddcb03c4376130123dd421c6ac81b9ec445 1230 libjson0-dev_0.11-4_amd64.deb
572f386553f6cd8c3867324b6c14e244d3154b2e 1098 libjson0_0.11-4_amd64.deb
Checksums-Sha256:
d21817e227168b4fed37e2e05c2dafbcf67e3148adf516c16c05d1014d1cbbba 2139 json-c_0.11-4.dsc
4d6d8e24146b1a708b62a46b7061d0199f505cbdfe88221e10f1a8805071b984 272656 json-c_0.11-4.debian.tar.xz
bde89cf8ff7876889e17fda0245f4dd3e829b6f89e617272637c1692c84dd694 24818 libjson-c2_0.11-4_amd64.deb
2b429bc045ad422a3f5e928f685e3e77c823736e01e1542ab0d574409b7fdf7e 35064 libjson-c-dev_0.11-4_amd64.deb
b4000120df0877513c9f5f87d6cc7093de948873047abc015f54161df9ddcca5 41662 libjson-c2-dbg_0.11-4_amd64.deb
ffedc999c24900646e922aea1476991709901463ddf01a69eddd7d618032bffb 18654 libjson-c-doc_0.11-4_all.deb
84c84a839811662b65f36ee5c53aac6607d1eff33929ff4248731915605821c8 1230 libjson0-dev_0.11-4_amd64.deb
b702144e9cbb3fbac80e86a0cdb0e1c097320fbe5610756613116cf8d340d8dc 1098 libjson0_0.11-4_amd64.deb
Files:
1c7758cef8bc6e45fa8db31c2e27c61f 2139 libs extra json-c_0.11-4.dsc
521b33c6f4a7caa5f4f4ceb4bea62655 272656 libs extra json-c_0.11-4.debian.tar.xz
0c36de6a9512856e0e561a61e106bce0 24818 libs extra libjson-c2_0.11-4_amd64.deb
e1c66f8a7454ac3ad0e691924baa6cfb 35064 libdevel extra libjson-c-dev_0.11-4_amd64.deb
714785e4ed126bedc5720d6127362b4d 41662 debug extra libjson-c2-dbg_0.11-4_amd64.deb
9ccb6c23c3976ce19d39969f23d280e4 18654 doc extra libjson-c-doc_0.11-4_all.deb
94b91edced405f0d9b338e8e03e01318 1230 oldlibs extra libjson0-dev_0.11-4_amd64.deb
91b22c4446189a74d6159fdbf567acec 1098 oldlibs extra libjson0_0.11-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTT6smAAoJEAyZtw70/LsHIM4QAK56bKETHa2K95SSoNxWYcpn
YhAbGSX/R76GPediKheskLowmL9DioKSwllyfcVOCYRs5l11ETOVMoCBNTJ/gQze
i6+ubJMu0PNrCEKdT7x6n/WN+5TcYXaq+4Vd2ZWlad0tkhD2TZLiYwJjVsqlOpkn
Gr/O6qMICqw1kkvrMXNDMKNHDkKSRzA8hB2XpUQYHe/Hv1wav/fPXHQihe0vu7IH
zbIoijy1AXF3rMpu2fIDhpJeTalqMwNjLiB5Vk+LflAjF/l+LC3q/q0Gx2wUgw1p
VHj8wUd9sMGZB6YO30bMvAVYYAIFhIZayMXUbsfh7s7O2NPGFPaQ+rzVlmViYKVY
vIB8zwlwCn4Q/x5gu0j9VdKzn105cO6Kgba3f3TANOlx3uPntAqjR8cwugwi4aam
SltQGUVbe5PMgikIGGXOoXSJakv7ljEGA5A0mMzcOEup+vfVB+vxYm6JW/W1DPi1
gp7djgrE7llKWeVLRt2x8aTd2w9mtzKHWC2BV4CK46cVUj/xdnFpKPX7NKYmdYQ3
wdxVJdjOPJJ0LmJ4IIpYYYJ2aPvvxtmiH1EvuaoYfZdo9nbPvrZ7uRi8Eq0g0sic
TUXS8AqylmMnwwiMjD9DtTWoPs3L9k0LLkhpvvfJBNeMrEuqVEpUjuNwPae3OI1p
o2nk9goZ4WizFwdDBv9G
=UWiM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 May 2014 07:25:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:28:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon