Bug#960326: marked as done (json-c: CVE-2020-12762)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 16 Jun 2020 08:33:37 +0000
with message-id <E1jl72H-0007GQ-90@fasolo.debian.org>
and subject line Bug#960326: fixed in json-c 0.13.1+dfsg-8
has caused the Debian Bug report #960326,
regarding json-c: CVE-2020-12762
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
960326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960326
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: json-c: CVE-2020-12762
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 11 May 2020 21:55:12 +0200
• Message-id: <158922691202.1456848.14032900298008797019.reportbug@eldamar.local>

Source: json-c
Version: 0.13.1+dfsg-7
Severity: important
Tags: security upstream
Forwarded: https://github.com/json-c/json-c/pull/592

Hi,

The following vulnerability was published for json-c.

CVE-2020-12762[0]:
| json-c through 0.14 has an integer overflow and out-of-bounds write
| via a large JSON file, as demonstrated by printbuf_memappend.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-12762
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12762
[1] https://github.com/json-c/json-c/pull/592

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 960326-close@bugs.debian.org
• Subject: Bug#960326: fixed in json-c 0.13.1+dfsg-8
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 16 Jun 2020 08:33:37 +0000
• Message-id: <E1jl72H-0007GQ-90@fasolo.debian.org>
• Reply-to: Gianfranco Costamagna <locutusofborg@debian.org>

Source: json-c
Source-Version: 0.13.1+dfsg-8
Done: Gianfranco Costamagna <locutusofborg@debian.org>

We believe that the bug you reported is fixed in the latest version of
json-c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 960326@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated json-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Jun 2020 09:45:32 +0200
Source: json-c
Binary: libjson-c4 libjson-c-dev libjson-c-doc libjson-c4-udeb
Architecture: source
Version: 0.13.1+dfsg-8
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
 libjson-c-dev - JSON manipulation library - development files
 libjson-c-doc - JSON manipulation library - documentation files
 libjson-c4 - JSON manipulation library - shared library
 libjson-c4-udeb - JSON manipulation library - shared library (udeb) (udeb)
Closes: 960326
Changes:
 json-c (0.13.1+dfsg-8) unstable; urgency=medium
 .
   [ Leonidas S. Barbosa ]
   * SECURITY UPDATE: Integer overflows
     - debian/patches/CVE-2020-12762-*.patch: fix a series of
       integer overflows adding checks in linkhash.c, printbuf.c, test4.c
       test4.expected.
     - CVE-2020-12762
 .
   [ Gianfranco Costamagna ]
   * QA upload
   * Import Ubuntu patch (Closes: #960326)
Checksums-Sha1:
 1cce30d4212b8e1185b44cf8d30d6aeda037e0d7 2072 json-c_0.13.1+dfsg-8.dsc
 bd1698ca95d41cef49875140c3ecb1ddf485876c 9980 json-c_0.13.1+dfsg-8.debian.tar.xz
 deaa02f9c23b75c3965eaa3cb5ff540175c7bf58 7347 json-c_0.13.1+dfsg-8_source.buildinfo
Checksums-Sha256:
 003cb09d1dc78e3b54f04245ff1ece878253b9c07234a8fa1dfc3c9857affeac 2072 json-c_0.13.1+dfsg-8.dsc
 f3b53b1a1f9f22558d86ace861937cfad077507fafefdcb528ac5a8f8a829530 9980 json-c_0.13.1+dfsg-8.debian.tar.xz
 18d4c7deda5faf7ab7910f09b90f9fce4db1058d44ab8fc67b6da9d2691750a2 7347 json-c_0.13.1+dfsg-8_source.buildinfo
Files:
 3e6765ccebe115b177311faafac52196 2072 libs optional json-c_0.13.1+dfsg-8.dsc
 adec1a144234e57c59e66106dcb896ba 9980 libs optional json-c_0.13.1+dfsg-8.debian.tar.xz
 bc3d83fc4b87d18523ea21967ddbfaf8 7347 libs optional json-c_0.13.1+dfsg-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAl7oegAACgkQ808JdE6f
Xdm8ug/9H97ISB9483O4xxK3pWXD+rZGlcSoyOjDp/weDMDgfbCAYg8G9rPKMKpp
ZSklhK3vdCzYRCzCbqcOMkpwsD8AcGKvS+p62Cr2XibwtKQFIkb3SHi97ytvMi33
qNg10oPAmH4hHEWZXYf2kIwioZSqK8AE5v66BOdHCQMp4XIco99z5wndIydqREcM
7dmZs49fFbq5e+uo6JLd+0skQ7X54GG3UKHFJWHAHQbXoYu5n7uPmra8E6JPCMHn
8jEWBJUp8IoC1dy0VbQTuYAR57rA/89sCF2CGXVOiicIdSD3JLEEe8+otaE1+beM
cOdG2ADuUDQY/tFwQgEv/7dKm7IqTePN7n83tDKJKfDYLlnvXyiEh5miqpULzlyx
PvQQJUyUX0FUXBoSrpXrW+JyzaiZqg53lRwq1XACTiXEYC/Xwzs8afP32znMhvk2
PtJN0tw+TMjv7F3+0YHbpoNnurXVN8mUr1Cni7mR2lc7RlzlL4niyKZN0c5LEeaI
cljegzBNdJk61gSQ0HqV1CNCGN1wb2UYBDR0SdN1Sfah1cBFsAwxZ3HdaIwM2fWr
VvS3UxM7krQad3zFkwQctD7Gq1oKiCLHtTJ10P75BTDJmqAOn3YrvNgxEQE/hgS1
CFs46t+Ndz+Dow4h3/pKrapdi2deOVMO7O/rJMJm9/bMo12aGwI=
=t6cc
-----END PGP SIGNATURE-----

--- End Message ---