| Description: | JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON-formatted strings, and parse JSON-formatted strings back into the C representation of JSON objects.
Multiple buffer overflow flaws were found in the way the json-c library handled long strings in JSON documents. An attacker able to make an application using json-c parse excessively large JSON input could cause the application to crash. (CVE-2013-6370)
A denial of service flaw was found in the implementation of hash arrays in json-c. An attacker could use this flaw to make an application using json-c consume an excessive amount of CPU time by providing a specially crafted JSON document that triggers multiple hash function collisions. To mitigate this issue, json-c now uses a different hash function and randomization to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2013-6371)
These issues were discovered by Florian Weimer of the Red Hat Product Security Team.
All json-c users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
|