Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

json-c CVE-2020-12762: integer overflow and out-of-bounds write #2153

Closed
3 tasks done
KexyBiscuit opened this issue May 15, 2020 · 5 comments
Closed
3 tasks done

json-c CVE-2020-12762: integer overflow and out-of-bounds write #2153

KexyBiscuit opened this issue May 15, 2020 · 5 comments
Labels
aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment security Topic/issue involves a security issue/fixed

Comments

@KexyBiscuit
Copy link
Member

KexyBiscuit commented May 15, 2020
edited by MingcongBai
Loading

CVE IDs: CVE-2020-12762

Other security advisory IDs: USN-4360-1

Descriptions: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Patches: Prevent out of boundary write on malicious input

PoC(s): Code to exploit

Architectural progress:

  • AMD64 amd64
    • 32-bit Optional Environment optenv32
  • AArch64 arm64
@KexyBiscuit KexyBiscuit added security Topic/issue involves a security issue/fixed to-stable labels May 15, 2020
@KexyBiscuit KexyBiscuit added this to the Summer 2020 milestone May 15, 2020
@KexyBiscuit
Copy link
Member Author

KexyBiscuit commented May 15, 2020
edited
Loading

Upstream introduced regressions: cannot add more than 11 objects. Is this a known issue?, let's not call lh_table_resize with INT_MAX, and is marked as critical on Ubuntu which caused a revert.

@KexyBiscuit KexyBiscuit changed the title json-c: integer overflow and out-of-bounds write json-c CVE-2020-12762: integer overflow and out-of-bounds write May 25, 2020
MingcongBai pushed a commit that referenced this issue May 28, 2020
json-c{,+32}: (Ubuntu patches) #2153
795b96f
@KexyBiscuit KexyBiscuit mentioned this issue May 28, 2020
Closed
@KexyBiscuit
Copy link
Member Author

Upstream introduced regressions: cannot add more than 11 objects. Is this a known issue?, let's not call lh_table_resize with INT_MAX, and is marked as critical on Ubuntu which caused a revert.

Ubuntu released a new version.

@MingcongBai
Copy link
Member

Thanks for the update.

MingcongBai added a commit that referenced this issue Jun 9, 2020
@MingcongBai
json-c: update patch to fix a regression; #2153
d9004dd
@MingcongBai
Copy link
Member

All done. @l2dy Please assign an AOSA.

@MingcongBai MingcongBai added the aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment label Jun 9, 2020
@l2dy
Copy link
Member

l2dy commented Aug 3, 2020

Use AOSA-2020-0108.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment security Topic/issue involves a security issue/fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MingcongBai @KexyBiscuit @l2dy