Security Advisory Moderate: json-c security update

Advisory: RHSA-2014:0703-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-06-10
Last updated on: 2014-06-10
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2013-6370
CVE-2013-6371

Details

Updated json-c packages that fix two security issues are now available for
Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

JSON-C implements a reference counting object model that allows you to
easily construct JSON objects in C, output them as JSON-formatted strings,
and parse JSON-formatted strings back into the C representation of
JSON objects.

Multiple buffer overflow flaws were found in the way the json-c library
handled long strings in JSON documents. An attacker able to make an
application using json-c parse excessively large JSON input could cause the
application to crash. (CVE-2013-6370)

A denial of service flaw was found in the implementation of hash arrays in
json-c. An attacker could use this flaw to make an application using json-c
consume an excessive amount of CPU time by providing a specially crafted
JSON document that triggers multiple hash function collisions. To mitigate
this issue, json-c now uses a different hash function and randomization to
reduce the chance of an attacker successfully causing intentional
collisions. (CVE-2013-6371)

These issues were discovered by Florian Weimer of the Red Hat Product
Security Team.

All json-c users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
json-c-0.11-4.el7_0.src.rpm     MD5: 5bcf8965fd6aff369ba69e14cf15f81b
SHA-256: 2115a2687c5da53c2e6c26e3d9c32c42eb5ceabf5a92bf261230464f9841dee1
 
x86_64:
json-c-0.11-4.el7_0.i686.rpm     MD5: 0c64894c58bc7aa6b0d81a489000e447
SHA-256: 2cc6eebf55cb4db4c7f2df6a6623ae03675be656f988e1ae867e035ea5efc579
json-c-0.11-4.el7_0.x86_64.rpm     MD5: 31736cbc9ff03d3600f286be1fabb540
SHA-256: 12d0d9348fb55a9e518a45b63db83b95b1e6c9d54551aa0ec288199f03cce5cd
json-c-debuginfo-0.11-4.el7_0.i686.rpm     MD5: 350428ddee579b2c1a91da680361ef5c
SHA-256: f5085e0fe770a12a8c48357288b2022c7f8283ca7c7b3527b2a390f6a0ea48fb
json-c-debuginfo-0.11-4.el7_0.x86_64.rpm     MD5: 2bddcc2829c6acbdd74e6782f5887272
SHA-256: 66f9b3a369214b5020205af2ed14f1779589d3bb1f60e20552b84bca55621ee6
json-c-devel-0.11-4.el7_0.i686.rpm     MD5: 2cf88e2486c251696d9e35eaf1c1f5ff
SHA-256: fae1ebdb166e19b1ec39f1cc514394aca042ff1397a750e18c605937e32c9c85
json-c-devel-0.11-4.el7_0.x86_64.rpm     MD5: 34e4d84d875d6a53299700e7d8ed8762
SHA-256: a2093debf39c7ee18a6d675079e8bdce02827cedaeeb6e1a769d49f39b5dc331
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
json-c-0.11-4.el7_0.src.rpm     MD5: 5bcf8965fd6aff369ba69e14cf15f81b
SHA-256: 2115a2687c5da53c2e6c26e3d9c32c42eb5ceabf5a92bf261230464f9841dee1
 
x86_64:
json-c-0.11-4.el7_0.i686.rpm     MD5: 0c64894c58bc7aa6b0d81a489000e447
SHA-256: 2cc6eebf55cb4db4c7f2df6a6623ae03675be656f988e1ae867e035ea5efc579
json-c-0.11-4.el7_0.x86_64.rpm     MD5: 31736cbc9ff03d3600f286be1fabb540
SHA-256: 12d0d9348fb55a9e518a45b63db83b95b1e6c9d54551aa0ec288199f03cce5cd
json-c-debuginfo-0.11-4.el7_0.i686.rpm     MD5: 350428ddee579b2c1a91da680361ef5c
SHA-256: f5085e0fe770a12a8c48357288b2022c7f8283ca7c7b3527b2a390f6a0ea48fb
json-c-debuginfo-0.11-4.el7_0.x86_64.rpm     MD5: 2bddcc2829c6acbdd74e6782f5887272
SHA-256: 66f9b3a369214b5020205af2ed14f1779589d3bb1f60e20552b84bca55621ee6
json-c-devel-0.11-4.el7_0.i686.rpm     MD5: 2cf88e2486c251696d9e35eaf1c1f5ff
SHA-256: fae1ebdb166e19b1ec39f1cc514394aca042ff1397a750e18c605937e32c9c85
json-c-devel-0.11-4.el7_0.x86_64.rpm     MD5: 34e4d84d875d6a53299700e7d8ed8762
SHA-256: a2093debf39c7ee18a6d675079e8bdce02827cedaeeb6e1a769d49f39b5dc331
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
json-c-0.11-4.el7_0.src.rpm     MD5: 5bcf8965fd6aff369ba69e14cf15f81b
SHA-256: 2115a2687c5da53c2e6c26e3d9c32c42eb5ceabf5a92bf261230464f9841dee1
 
PPC:
json-c-0.11-4.el7_0.ppc.rpm     MD5: 1903ef2e6c65e931612068e4e0c52ee1
SHA-256: 608cbbaf7e4dbf6831289ccd4456cd03d0d83f843e79521027636ea64f6bd766
json-c-0.11-4.el7_0.ppc64.rpm     MD5: 244f1eac58a2a5d736c9ef7314b40cd2
SHA-256: 03b0cf9970fe079fab34144c8cb04d1e92bc1b29f60fc575e179eafc2822f880
json-c-debuginfo-0.11-4.el7_0.ppc.rpm     MD5: 6da9ba1888f442df3344a6ae280fb478
SHA-256: 080fd2f5b3ca8953a79d364195cabe9a9425835ebc4286c0d43fb2bc82ef6ee1
json-c-debuginfo-0.11-4.el7_0.ppc64.rpm     MD5: aed7b099e9e695d4b4570d221a4363bc
SHA-256: 6a30e6bf60b820538c4f60f50061317b64877c49fffdb1bb42f27882209e6a18
json-c-devel-0.11-4.el7_0.ppc.rpm     MD5: ef7810a8c93713fda0f33cbdf06fe12d
SHA-256: 40bf0d0b9b91e6d22570011ad45d1279add6f3e66cb5102531dc1e7cfccc7742
json-c-devel-0.11-4.el7_0.ppc64.rpm     MD5: a6114cfbadae8b2564846794072aa913
SHA-256: 30ba8b249b9b3d679b90b4acc185fabe99831da36306aabb7bb4f61047216b14
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
s390x:
json-c-0.11-4.el7_0.s390.rpm     MD5: 8c6a4bb559ae7e502805aa7b25415f13
SHA-256: 5a299275eb79254dc5970f49ed4ea04833dc560a24cd7456c7c49113e13244cb
json-c-0.11-4.el7_0.s390x.rpm     MD5: c83bea0cdc62b9da2df3c5094d1f4dd3
SHA-256: 5d2ede7401158833731fe3af5d485b26643fe78bca77472873a387f34eb25ce4
json-c-debuginfo-0.11-4.el7_0.s390.rpm     MD5: 6f13be33da083da9f5862a27a129f840
SHA-256: 7920c0a8565e151062c24b72510d4de48cbbb9545fd1b7a315785a2bcc4eae52
json-c-debuginfo-0.11-4.el7_0.s390x.rpm     MD5: f3123923ef79d9c90fac45e214f057cf
SHA-256: 0cdfa3a40b12585ba6a5a00c76f57c8648418201cb90460b284b567308eab7a5
json-c-devel-0.11-4.el7_0.s390.rpm     MD5: 8b232ee899c11894b29bbc70b5544b79
SHA-256: 0dd9d5c738f4b2db869e3139e92b1370987173f7fb285692b1b142593636a9ac
json-c-devel-0.11-4.el7_0.s390x.rpm     MD5: 6ea914d84a0981b900436a14a3c7ef20
SHA-256: 12c665464f2f5ac45aee9efdc48caad22b7944cecb3d79a0dbe964891809584c
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
x86_64:
json-c-0.11-4.el7_0.i686.rpm     MD5: 0c64894c58bc7aa6b0d81a489000e447
SHA-256: 2cc6eebf55cb4db4c7f2df6a6623ae03675be656f988e1ae867e035ea5efc579
json-c-0.11-4.el7_0.x86_64.rpm     MD5: 31736cbc9ff03d3600f286be1fabb540
SHA-256: 12d0d9348fb55a9e518a45b63db83b95b1e6c9d54551aa0ec288199f03cce5cd
json-c-debuginfo-0.11-4.el7_0.i686.rpm     MD5: 350428ddee579b2c1a91da680361ef5c
SHA-256: f5085e0fe770a12a8c48357288b2022c7f8283ca7c7b3527b2a390f6a0ea48fb
json-c-debuginfo-0.11-4.el7_0.x86_64.rpm     MD5: 2bddcc2829c6acbdd74e6782f5887272
SHA-256: 66f9b3a369214b5020205af2ed14f1779589d3bb1f60e20552b84bca55621ee6
json-c-devel-0.11-4.el7_0.i686.rpm     MD5: 2cf88e2486c251696d9e35eaf1c1f5ff
SHA-256: fae1ebdb166e19b1ec39f1cc514394aca042ff1397a750e18c605937e32c9c85
json-c-devel-0.11-4.el7_0.x86_64.rpm     MD5: 34e4d84d875d6a53299700e7d8ed8762
SHA-256: a2093debf39c7ee18a6d675079e8bdce02827cedaeeb6e1a769d49f39b5dc331
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
json-c-0.11-4.el7_0.src.rpm     MD5: 5bcf8965fd6aff369ba69e14cf15f81b
SHA-256: 2115a2687c5da53c2e6c26e3d9c32c42eb5ceabf5a92bf261230464f9841dee1
 
x86_64:
json-c-0.11-4.el7_0.i686.rpm     MD5: 0c64894c58bc7aa6b0d81a489000e447
SHA-256: 2cc6eebf55cb4db4c7f2df6a6623ae03675be656f988e1ae867e035ea5efc579
json-c-0.11-4.el7_0.x86_64.rpm     MD5: 31736cbc9ff03d3600f286be1fabb540
SHA-256: 12d0d9348fb55a9e518a45b63db83b95b1e6c9d54551aa0ec288199f03cce5cd
json-c-debuginfo-0.11-4.el7_0.i686.rpm     MD5: 350428ddee579b2c1a91da680361ef5c
SHA-256: f5085e0fe770a12a8c48357288b2022c7f8283ca7c7b3527b2a390f6a0ea48fb
json-c-debuginfo-0.11-4.el7_0.x86_64.rpm     MD5: 2bddcc2829c6acbdd74e6782f5887272
SHA-256: 66f9b3a369214b5020205af2ed14f1779589d3bb1f60e20552b84bca55621ee6
json-c-devel-0.11-4.el7_0.i686.rpm     MD5: 2cf88e2486c251696d9e35eaf1c1f5ff
SHA-256: fae1ebdb166e19b1ec39f1cc514394aca042ff1397a750e18c605937e32c9c85
json-c-devel-0.11-4.el7_0.x86_64.rpm     MD5: 34e4d84d875d6a53299700e7d8ed8762
SHA-256: a2093debf39c7ee18a6d675079e8bdce02827cedaeeb6e1a769d49f39b5dc331
json-c-doc-0.11-4.el7_0.noarch.rpm     MD5: 94d4ff23b5d8afc5140e7e5f18978dda
SHA-256: 5570f2e39c9b00a79ce7ea8cbab39b948f7be71d9f0a246c019d9e249b3bb66d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1032311 - CVE-2013-6371 json-c: hash collision DoS
1032322 - CVE-2013-6370 json-c: buffer overflow if size_t is larger than int


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/