Package name
json-c
Date
2014-04-17
Advisory ID
MDVSA-2014:079
Affected versions
MBS1 x86_64

Problem description

Updated json-c packages fix security vulnerabilities:

Florian Weimer reported that the printbuf APIs used in the json-c
library used ints for counting buffer lengths, which is inappropriate
for 32bit architectures. These functions need to be changed to using
size_t if possible for sizes, or to be hardened against negative
values if not. This could be used to cause a denial of service in
an application linked to the json-c library (CVE-2013-6370).

Florian Weimer reported that the hash function in the json-c library
was weak, and that parsing smallish JSON strings showed quadratic
timing behaviour. This could cause an application linked to the json-c
library, and that processes some specially-crafted JSON data, to use
excessive amounts of CPU (CVE-2013-6371).

Updated packages

MBS1 x86_64

 f799ac04871a5044f8c8c4802f29f33a  mbs1/x86_64/lib64json2-0.11-1.1.mbs1.x86_64.rpm
 9c7a7e290ebd91a7fc071f04e0abe340  mbs1/x86_64/lib64json-devel-0.11-1.1.mbs1.x86_64.rpm 
 f3c134fa6a2ee59590340ab94dfa079d  mbs1/SRPMS/json-c-0.11-1.1.mbs1.src.rpm

References