oss-security - CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted JSON strings

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Wed, 10 Jun 2015 17:12:09 -0400
From: Giancarlo Canales <gcanalesb@...com>
To: oss-security@...ts.openwall.com
Subject: CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted
 JSON strings

I recently discovered a buffer overflow weakness in the open source ArduinoJson library.
Several IoT projects are using this library, and a CVE number would help ensure traceability of the issue abroad.

This issue has already been made public, and a fix has been released by the project maintainer.

Title: Buffer overflow in ArduinoJson when parsing crafted JSON strings
Products: ArduinoJson
Affects: All versions prior to v4.5
Type: Buffer overflow
First CVE ID Request: Yes

Link to vulnerable source code or fix:
https://github.com/bblanchon/ArduinoJson/commit/5e7b9ec688d79e7b16ec7064e1d37e8481a31e72

Link to source code change log:
https://github.com/bblanchon/ArduinoJson/blob/master/CHANGELOG.md

Link to bug entry:
https://github.com/bblanchon/ArduinoJson/pull/81

Thanks in advance,


Giancarlo Canales Barreto

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.