Hi, On Mon, May 11, 2020 at 09:55:12PM +0200, Salvatore Bonaccorso wrote: > Source: json-c > Version: 0.13.1+dfsg-7 > Severity: important > Tags: security upstream > Forwarded: https://github.com/json-c/json-c/pull/592 > > Hi, > > The following vulnerability was published for json-c. > > CVE-2020-12762[0]: > | json-c through 0.14 has an integer overflow and out-of-bounds write > | via a large JSON file, as demonstrated by printbuf_memappend.
The upstream fix introduces a regression, see in particular https://github.com/json-c/json-c/issues/599 . FWIW, Ubuntu has as well reverted the fix, pending further investigation as per https://usn.ubuntu.com/4360-2/ Regards, Salvatore