A vulnerability was found in jansson. Parsing a maliciously crafted JSON file could cause the application to crash. This crash is caused by stack exhaustion. CVE request: http://seclists.org/oss-sec/2016/q2/181 Upstream bug: https://github.com/akheron/jansson/issues/282 Upstream patch: https://github.com/akheron/jansson/pull/284
Created jansson tracking bugs for this issue: Affects: fedora-all [bug 1332201] Affects: epel-6 [bug 1332202]
Upstream fix: https://github.com/akheron/jansson/pull/284
Created attachment 1156436 [details] reproduction script + client program Added repro derived from upstream bug.
RHEL-7 package version 2.4/6el7 confirmed vulnerable by inspecting the source and reproducing the segfault. The effect is stack overrun: while it segfaults there's no opportunity to exploit it for C/I compromise. Moderate impact due to affecting availability. Patch is easy to apply but impact is very low - closing with WONTFIX.