Hi, On Fri, May 15, 2020 at 10:19:42PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Mon, May 11, 2020 at 09:55:12PM +0200, Salvatore Bonaccorso wrote: > > Source: json-c > > Version: 0.13.1+dfsg-7 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/json-c/json-c/pull/592 > > > > Hi, > > > > The following vulnerability was published for json-c. > > > > CVE-2020-12762[0]: > > | json-c through 0.14 has an integer overflow and out-of-bounds write > > | via a large JSON file, as demonstrated by printbuf_memappend. > > The upstream fix introduces a regression, see in particular > https://github.com/json-c/json-c/issues/599 . > > FWIW, Ubuntu has as well reverted the fix, pending further > investigation as per https://usn.ubuntu.com/4360-2/
Backports for other branches (as squashed commits for all those needed): https://github.com/json-c/json-c/pull/608 Regards, Salvatore
