A vulnerability was found in jansson. Parsing a maliciously crafted JSON file could cause the application to crash. This crash is caused by stack exhaustion.
Created jansson tracking bugs for this issue:
Affects: fedora-all [bug 1332201]
Affects: epel-6 [bug 1332202]
Created attachment 1156436 [details]
reproduction script + client program
Added repro derived from upstream bug.
RHEL-7 package version 2.4/6el7 confirmed vulnerable by inspecting the source and reproducing the segfault.
The effect is stack overrun: while it segfaults there's no opportunity to exploit it for C/I compromise. Moderate impact due to affecting availability.
Patch is easy to apply but impact is very low - closing with WONTFIX.