CVE-2021-32292

NameCVE-2021-32292
DescriptionAn issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5486-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
json-c (PTS)jessie, jessie (lts)0.11-4+deb8u2fixed
stretch (security), stretch (lts), stretch0.12.1-1.1+deb9u1fixed
buster (security), buster, buster (lts)0.12.1+ds-2+deb10u1fixed
bullseye (security), bullseye0.15-2+deb11u1fixed
bookworm0.16-2fixed
sid, trixie0.18+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
json-csourcejessie(not affected)
json-csourcestretch(not affected)
json-csourcebuster(not affected)
json-csourcebullseye0.15-2+deb11u1DSA-5486-1
json-csource(unstable)0.16-1

Notes

[buster] - json-c <not-affected> (Vulnerable code was introduced later)
https://github.com/json-c/json-c/issues/654
https://github.com/json-c/json-c/pull/655
https://github.com/json-c/json-c/commit/4e9e44e5258dee7654f74948b0dd5da39c28beec (json-c-0.16-20220414)
[stretch] - json-c <not-affected> (Vulnerable code was introduced later)
[jessie] - json-c <not-affected> (Vulnerable code was introduced later)

Search for package or bug name: Reporting problems