CVE-2020-12762

Published: 09 May 2020

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
json-c
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla)
Released (0.13.1+dfsg-7ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (0.13.1+dfsg-7ubuntu0.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.12.1-1.3ubuntu0.3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (0.11-4ubuntu2.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.11-3ubuntu1.2+esm3)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (0.9-1ubuntu1.4)
Patches:
Upstream: https://github.com/json-c/json-c/pull/592/commits/099016b7e8d70a6d5dd814e788bba08d33d48426
Upstream: https://github.com/json-c/json-c/pull/592/commits/77d935b7ae7871a1940cd827e850e6063044ec45
Upstream: https://github.com/json-c/json-c/pull/592/commits/d07b91014986900a3a75f306d302e13e005e9d67
Upstream: https://github.com/besser82/json-c/commit/7a4807fe0cdb1d9e20273c79762cbf54833aaae4 (regression fix)