CVE-2020-12762
Published: 9 May 2020
json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
Priority
Medium
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
json-c Launchpad, Ubuntu, Debian |
bionic |
Released
(0.12.1-1.3ubuntu0.3)
|
| eoan |
Released
(0.13.1+dfsg-4ubuntu0.3)
|
|
| focal |
Released
(0.13.1+dfsg-7ubuntu0.3)
|
|
| precise |
Released
(0.9-1ubuntu1.4)
|
|
| trusty |
Released
(0.11-3ubuntu1.2+esm3)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(0.11-4ubuntu2.6)
|
Notes
| Author | Note |
|---|---|
| mdeslaur | USN-4360-1 introduced a regression and the problematic fix was backed out in USN-4360-2 and USN-4360-3 pending further investigation. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12762
- https://github.com/json-c/json-c/pull/592
- https://ubuntu.com/security/notices/USN-4360-1
- https://ubuntu.com/security/notices/USN-4360-4
- NVD
- Launchpad
- Debian