Your submission was sent successfully! Close

CVE-2020-12762

Published: 9 May 2020

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Notes

AuthorNote
mdeslaur
USN-4360-1 introduced a regression and the problematic fix was
backed out in USN-4360-2 and USN-4360-3 pending further
investigation.
Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
json-c
Launchpad, Ubuntu, Debian
bionic
Released (0.12.1-1.3ubuntu0.3)
eoan
Released (0.13.1+dfsg-4ubuntu0.3)
focal
Released (0.13.1+dfsg-7ubuntu0.3)
precise
Released (0.9-1ubuntu1.4)
trusty
Released (0.11-3ubuntu1.2+esm3)
upstream Needs triage

xenial
Released (0.11-4ubuntu2.6)
Patches:
upstream: https://github.com/json-c/json-c/pull/592/commits/099016b7e8d70a6d5dd814e788bba08d33d48426
upstream: https://github.com/json-c/json-c/pull/592/commits/77d935b7ae7871a1940cd827e850e6063044ec45
upstream: https://github.com/json-c/json-c/pull/592/commits/d07b91014986900a3a75f306d302e13e005e9d67
upstream: https://github.com/besser82/json-c/commit/7a4807fe0cdb1d9e20273c79762cbf54833aaae4 (regression fix)