Bug 2235514 (CVE-2021-32292)

Summary: CVE-2021-32292 json-c: stack-buffer-overflow in parseit() in json_parse.c
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fhrdina, tkorbar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: json-c 0.16-20220414 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the parseit() function in json_parse.c., a test app in the json-c library. The code error does not affect the library itself.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235515, 2235516, 2235517, 2235518, 2236135, 2236136, 2236137    
Bug Blocks: 2235500    

Description Chess Hazlett 2023-08-28 22:09:06 UTC 
An issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.

https://github.com/json-c/json-c/issues/654
Comment 2 TEJ RATHI 2023-08-29 07:31:24 UTC 
Upstream Commit:
https://github.com/json-c/json-c/commit/4e9e44e5258dee7654f74948b0dd5da39c28beec
Comment 3 TEJ RATHI 2023-08-30 12:28:39 UTC 
Created json-c tracking bugs for this issue:

Affects: fedora-37 [bug 2236136]
Affects: fedora-38 [bug 2236137]


Created json-c12 tracking bugs for this issue:

Affects: epel-7 [bug 2236135]