diff -Nru json-c-0.12.1/debian/changelog json-c-0.12.1/debian/changelog --- json-c-0.12.1/debian/changelog 2020-05-11 19:29:02.000000000 +0000 +++ json-c-0.12.1/debian/changelog 2020-05-15 11:33:56.000000000 +0000 @@ -1,3 +1,9 @@ +json-c (0.12.1-1.3ubuntu0.2) bionic-security; urgency=medium + + * Revert the security fixes and rebuild the old version (LP: #1878723) + + -- Chris Coulson Fri, 15 May 2020 12:33:56 +0100 + json-c (0.12.1-1.3ubuntu0.1) bionic-security; urgency=medium * SECURITY UPDATE: Integer overflows diff -Nru json-c-0.12.1/debian/control json-c-0.12.1/debian/control --- json-c-0.12.1/debian/control 2020-05-11 19:29:02.000000000 +0000 +++ json-c-0.12.1/debian/control 2018-01-07 14:38:46.000000000 +0000 @@ -1,7 +1,6 @@ Source: json-c Priority: extra -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: fabien boucher +Maintainer: fabien boucher Uploaders: Ondřej Surý Build-Depends: autotools-dev, debhelper (>= 9), diff -Nru json-c-0.12.1/debian/patches/CVE-2020-12762-2.patch json-c-0.12.1/debian/patches/CVE-2020-12762-2.patch --- json-c-0.12.1/debian/patches/CVE-2020-12762-2.patch 2020-05-11 19:29:02.000000000 +0000 +++ json-c-0.12.1/debian/patches/CVE-2020-12762-2.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -Backported of: - -From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:46:45 +0200 -Subject: [PATCH] Prevent division by zero in linkhash. - -If a linkhash with a size of zero is created, then modulo operations -are prone to division by zero operations. - -Purely protective measure against bad usage. -diff --git a/linkhash.c b/linkhash.c -index c766452..477def6 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -10,6 +10,7 @@ - * - */ - -+#include - #include - #include - #include -@@ -431,6 +432,8 @@ struct lh_table* lh_table_new(int size, const char *name, - int i; - struct lh_table *t; - -+ /* Allocate space for elements to avoid divisions by zero. */ -+ assert(size > 0); - t = (struct lh_table*)calloc(1, sizeof(struct lh_table)); - if(!t) lh_abort("lh_table_new: calloc failed\n"); - t->count = 0; diff -Nru json-c-0.12.1/debian/patches/CVE-2020-12762-3.patch json-c-0.12.1/debian/patches/CVE-2020-12762-3.patch --- json-c-0.12.1/debian/patches/CVE-2020-12762-3.patch 2020-05-11 19:29:02.000000000 +0000 +++ json-c-0.12.1/debian/patches/CVE-2020-12762-3.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,86 +0,0 @@ -Backported of: - -From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:47:25 +0200 -Subject: [PATCH] Fix integer overflows. - -The data structures linkhash and printbuf are limited to 2 GB in size -due to a signed integer being used to track their current size. - -If too much data is added, then size variable can overflow, which is -an undefined behaviour in C programming language. - -Assuming that a signed int overflow just leads to a negative value, -like it happens on many sytems (Linux i686/amd64 with gcc), then -printbuf is vulnerable to an out of boundary write on 64 bit systems. -diff --git a/linkhash.c b/linkhash.c -index 477def6..1e38fd6 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -498,7 +498,14 @@ int lh_table_insert(struct lh_table *t, void *k, const void *v) - unsigned long h, n; - - t->inserts++; -- if(t->count >= t->size * LH_LOAD_FACTOR) lh_table_resize(t, t->size * 2); -+ if (t->count >= t->size * LH_LOAD_FACTOR) { -+ /* Avoid signed integer overflow with large tables. */ -+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; -+ if (t->size == INT_MAX) -+ return -1; -+ -+ lh_table_resize(t, new_size); -+ } - - h = t->hash_fn(k); - n = h % t->size; -diff --git a/printbuf.c b/printbuf.c -index 9d56522..2ef99f4 100644 ---- a/printbuf.c -+++ b/printbuf.c -@@ -15,6 +15,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -63,7 +64,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) - if (p->size >= min_size) - return 0; - -- new_size = json_max(p->size * 2, min_size + 8); -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) -+ new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -78,6 +88,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) { - if (printbuf_extend(p, p->bpos + size + 1) < 0) - return -1; -@@ -94,6 +107,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { diff -Nru json-c-0.12.1/debian/patches/series json-c-0.12.1/debian/patches/series --- json-c-0.12.1/debian/patches/series 2020-05-11 19:29:02.000000000 +0000 +++ json-c-0.12.1/debian/patches/series 2018-01-07 14:38:46.000000000 +0000 @@ -1,5 +1,3 @@ 0001-Bump-SOVERSION-as-interfaces-has-been-removed-from-0.patch 0002-Workaround-the-unused-variables-in-tests.patch gcc-7.diff -CVE-2020-12762-2.patch -CVE-2020-12762-3.patch