Bug 22271

Summary: json-c possible security issue with invalid free
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, marja11, mhrambo3501, oe, olav, pkg-bugs
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: json-c-0.12.1-1.mga6.src.rpm CVE:
Status comment: The validity of this issue is debatable

Description David Walser 2017-12-26 21:39:21 CET 
Fedora has issued an advisory on December 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FYQLNAB3ZRR7U66VC3ANQHVU3MO5E3QD/

Corresponding upstream commit and pull request:
https://github.com/json-c/json-c/commit/5ea6a05bfa43c9ba438fbc0eaea600edd6d72b88
https://github.com/json-c/json-c/pull/389

Frankly I disagree with the patch and the reasoning.  It violates the "don't leave assertions turned on in production code" mantra, which in general can cause DoS issues, but in this case if the issue can be triggered, you already have that problem.  It sounds to me like "libu2f-server and sway" (whatever they are) are buggy and doing something wrong and this patch is pointless.
Comment 1 Marja Van Waes 2017-12-27 08:56:47 CET 
Assigning to the registered maintainer.

CC'ing all packagers collectively and some committers, because the cauldron changelog of this package doesn't mention the maintainer.

CC: (none) => cjw, marja11, oe, olav, pkg-bugs
Assignee: bugsquad => mageia

David Walser 2018-02-02 18:26:48 CET

Status comment: (none) => The validity of this issue is debatable

Comment 2 Mike Rambo 2019-11-06 13:18:43 CET 
Mageia 6 is EOL.

CC: (none) => mrambo
Resolution: (none) => OLD
Status: NEW => RESOLVED