It was found that the hashing implementation in Jansson, a library for encoding, decoding and manipulating JSON data, was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause an application using Jansson to use an excessive amount of CPU time by sending a crafted JSON document containing a large number of parameters whose names map to the same hash value. Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Created attachment 859025 [details] CVE-2013-6401 patch
Public now: https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4
(In reply to Murray McAllister from comment #7) > Public now: > https://github.com/akheron/jansson/commit/ > 8f80c2d83808150724d31793e6ade92749b1faa4 This one is also needed: https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4
Created jansson tracking bugs for this issue: Affects: epel-6 [bug 1063819]
Created jansson tracking bugs for this issue: Affects: fedora-all [bug 1063817]
The first patch is very very long. According to github, 19 changed files with 873 additions and 122 deletions is this the minimal patch for fixing this CVE? Or does it include extra fixes?? thanks
(In reply to Jordi Massaguer Pla from comment #12) > The first patch is very very long. According to github, > > 19 changed files with 873 additions and 122 deletions > > is this the minimal patch for fixing this CVE? Or does it include extra > fixes?? No, it fixes just this bug. It replaces the hashing function and adds random seeding.
jansson-2.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Closing as all dependent OS releases have fixes out