Bug 18326

Summary: jansson new security issue CVE-2016-4425
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/687590/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: jansson-2.7-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-05-02 16:04:23 CEST 
A CVE has been assigned for a security issue in jansson:
http://openwall.com/lists/oss-security/2016/05/02/1

It's not clear whether the version in Mageia 5 is affected.

A pull request has been submitted upstream with a potential fix.
Comment 1 David Walser 2016-05-17 21:18:23 CEST 
Debian has issued an advisory for this on May 14:
https://www.debian.org/security/2016/dsa-3577

URL: (none) => http://lwn.net/Vulnerabilities/687590/

Comment 2 David Walser 2016-05-18 22:21:51 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated jansson packages fix security vulnerability:

Gustavo Grieco discovered that jansson did not limit the recursion depth when
parsing JSON arrays and objects. This could allow remote attackers to cause a
denial of service (crash) via stack exhaustion, using crafted JSON data
(CVE-2016-4425).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4425
https://www.debian.org/security/2016/dsa-3577
========================

Updated packages in core/updates_testing:
========================
jansson-2.4-4.1.mga5
jansson-devel-2.4-4.1.mga5

from jansson-2.4-4.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs

Comment 3 claire robinson 2016-05-20 13:43:33 CEST 
PoC: from debian link
https://github.com/akheron/jansson/issues/282
claire robinson 2016-05-20 13:43:45 CEST

Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2016-05-20 13:45:56 CEST 
Testing mga5 64
Comment 5 claire robinson 2016-05-20 14:30:19 CEST 
Testing complete mga5 64

PoC requires jshon which we don't appear to provide.

jansson package is just library & doc files, it should perhaps be libjansson instead.

# urpmf jansson
jansson:/usr/lib64/libjansson.so.4
jansson:/usr/lib64/libjansson.so.4.4.0
jansson:/usr/share/doc/jansson
jansson:/usr/share/doc/jansson/CHANGES
jansson:/usr/share/doc/jansson/LICENSE


Testing AFAIC using suricata

# urpmq --whatrequires jansson
jansson
jansson-devel
jansson-devel
libteam-tools
suricata

Suricata fails without SSE3 (build time option)
https://github.com/security-onion-solutions/security-onion/issues/26

It's a bit of an unfriendly beast, missing all sorts of config files from the source and needing extra configuration but taking comfort from the fact the errors remain constant before & after updating jansson.

I think enough to ensure this updates cleanly and suricata issues unchanged.

Whiteboard: has_procedure => has_procedure mga5-64-ok

Comment 6 David Walser 2016-05-20 17:02:28 CEST 
Indeed, I thought this wasn't properly libified when I wrote the advisory.

Guillaume, would you mind libifying this package in Cauldron?

CC: (none) => guillomovitch, mageia

claire robinson 2016-05-21 21:41:28 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-05-22 00:12:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0198.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED