[Bug 1311397] Re: json-c: CVE-2013-6370 CVE-2013-6371

[Dimitri John Ledkov]

** Changed in: json-c (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: json-c (Ubuntu Trusty)
     Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Patch added: "lp1311397.patch"
   https://bugs.launchpad.net/ubuntu/+source/json-c/+bug/1311397/+attachment/4093494/+files/lp1311397.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to json-c in Ubuntu.
https://bugs.launchpad.net/bugs/1311397

Title:
  json-c: CVE-2013-6370 CVE-2013-6371

Status in “json-c” package in Ubuntu:
  In Progress
Status in “json-c” source package in Precise:
  New
Status in “json-c” source package in Quantal:
  New
Status in “json-c” source package in Saucy:
  New
Status in “json-c” source package in Trusty:
  In Progress
Status in “json-c” package in Debian:
  Fix Released

Bug description:
  Imported from Debian bug http://bugs.debian.org/744008:

  Source: json-c
  Severity: important
  Tags: security upstream fixed-upstream

  Hi,

  the following vulnerabilities were published for json-c.

  CVE-2013-6370[0]:
  buffer overflow if size_t is larger than int

  CVE-2013-6371[1]:
  hash collision DoS

  If you fix the vulnerabilities please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

  The upstream patch is at [2].

  For further information see:

  [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
      https://security-tracker.debian.org/tracker/CVE-2013-6370
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
      https://security-tracker.debian.org/tracker/CVE-2013-6371
  [2] https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015

  Regards,
  Salvatore

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/json-c/+bug/1311397/+subscriptions