-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please check if affected by CVE-2020-12762 #161
Comments
Well, looks like libfastjson shares some common and not-yet-patched code with json-c. I slightly modified the original application from json-c/json-c#592 and got a segmentation fault on my machine with libfastjson. Reproduced this issue with on 32-bit and x86_64 builds of the sample application. Environment:
Sample application: #include <libfastjson/json_util.h>
#include <unistd.h>
int main() {
fjson_object_from_fd(STDIN_FILENO);
return 0;
} Proof:
|
Have this CVE been fixed in libfastjson? |
I compare ths json-c fix for this CVE and the libfastjson code.
|
Thx for the heads-up. While you are at it: it would be great if you could craft a PR. |
Ok~ I will craft a PR this evening later. I wanna repruduce this CVE problem and check whether the json-c patch could fix it. After that I will push the PR. |
Sorry for the late PR #166 I reproduce and solve the CVE by referencing the json-c patch I think I have solved this CVE. |
@rgerhards Could you please check this CVE fix? I've verified the CVE is fixed. |
Hello, can anyone review the code? |
yes, this fixes it. |
1 similar comment
yes, this fixes it. |
So who can merge the code? |
I usually keep it open until we finally release. But I can merge right now if you prefer. |
actually I can't right now due to some operational issues at github. Will do as soon as it is possible again. |
I hope the fix will be in the code repository as soon as possible. Thanks. |
@Whissi I think the CVE is fixed, so if there is no other problem, maybe you can close the issue I guess? |
Will there also be a new release-tag, like v1.0 or so with this fix? |
There will be a new tag. Remember that rsyslog project is doing releases every ~2 months so maybe this will be addressed already in the upcoming April release. If not it will get tackled in the summer release. I'll leave this bug open as reminder for the team. Once they do the changelog/release work, they can close it. |
I can add a tag if @EmielBruijntjes needs this for an internal build process. Just let me know. |
Yes, that would be nice, it makes life on our side a bit easier if we can refer to a version number or a tag. |
@EmielBruijntjes I have added the v0.99.9.1 tag. |
Side-Note: there is also the upcoming version numbering change in that tag included. Just so that you know. |
CVE-2020-12762 was reported for json-c, see json-c/json-c#592. Please check if libfastjson is affected by a similar problem. At least it looks like that printbuf.c changes should be backported.
The text was updated successfully, but these errors were encountered: