Bug 31812

Summary: libfastjson security issue CVE-2020-12762
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: CVE:
Status comment:

Description Stig-Ørjan Smelror 2023-04-18 23:45:06 CEST 
A flaw in json-c was discovered and libfastjson was also affected.

Fixed upstream in 0.99.9.1.

Version 1.2304.0 has been pushed to Cauldron.
Comment 1 Stig-Ørjan Smelror 2023-04-18 23:45:24 CEST 
https://github.com/advisories/GHSA-3797-gmjf-45gm
Comment 2 Stig-Ørjan Smelror 2023-04-19 07:24:38 CEST 
Update pushed to Cauldron.

Version: Cauldron => 8

Comment 3 Stig-Ørjan Smelror 2023-04-19 07:36:36 CEST 
Advisory
========

libfastjson has been updated to fix CVE-2020-12762.

CVE-2020-12762: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.


References
==========
https://github.com/advisories/GHSA-3797-gmjf-45gm
https://nvd.nist.gov/vuln/detail/CVE-2020-12762


Files
=====

Uploaded to core/updates_testing

libfastjson4-1.2304.0-1.mga8
libfastjson-devel-1.2304.0-1.mga8

from libfastjson-1.2304.0-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 4 Stig-Ørjan Smelror 2023-04-19 07:37:54 CEST 
Here is how you can test

https://github.com/rsyslog/libfastjson/pull/166#issuecomment-1468211763
Comment 5 Len Lawrence 2023-04-25 18:25:25 CEST 
Part 1, before update:

Mageia8, x86_64
$ cat test.c
#include "libfastjson/json_util.h"
#include <unistd.h>
int main() {
    fjson_object_from_fd(STDIN_FILENO);
    return 0;
}

$ gcc test.c -o test -Llib64 -lfastjson -I include/libfastjson
$ dd if=/dev/zero of=poc.json bs=1 count=1 seek=2147483647
1+0 records in
1+0 records out
1 byte copied, 0.00617968 s, 0.2 kB/s
$ export LD_LIBRARY_PATH=$(pwd)/lib64
$ (dd if=poc.json bs=4096; sleep 1; dd if=test.json bs=10) 2>/dev/null | ./test
Segmentation fault (core dumped)
lcl@canopus:fastjson $ echo $?
139

Is test.json a typo?  Don't see where that is generated.
The segfault occurs after considerably more than 1 second.

Part 2
Updated to
lib64fastjson4-1.2304.0-1.mga8
lib64fastjson-devel-1.2304.0-1.mga8

Recompiled test.
$ (dd if=poc.json bs=4096; sleep 1; dd if=test.json bs=10) 2>/dev/null | ./test
$
Completed after a second or two, no segfault.

urpmq --whatrequires returns rsyslog as the only application using fastjson.

Installed rsyslog and started it as a service under strace.
$ sudo grep fastjson rsyslog.trace
$
Guess it comes into play when logging occurs.  Don't know how to use rsyslog so the PoC test shall have to be enough to validate this update.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2023-04-26 15:18:16 CEST 
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-05-06 18:18:28 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-05-06 20:20:36 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0159.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED