oss-sec mailing list archives

CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted JSON strings

From: Giancarlo Canales <gcanalesb () me com>
Date: Wed, 10 Jun 2015 17:12:09 -0400

I recently discovered a buffer overflow weakness in the open source ArduinoJson library.
Several IoT projects are using this library, and a CVE number would help ensure traceability of the issue abroad.

This issue has already been made public, and a fix has been released by the project maintainer.

Title: Buffer overflow in ArduinoJson when parsing crafted JSON strings
Products: ArduinoJson
Affects: All versions prior to v4.5
Type: Buffer overflow
First CVE ID Request: Yes

Link to vulnerable source code or fix:
https://github.com/bblanchon/ArduinoJson/commit/5e7b9ec688d79e7b16ec7064e1d37e8481a31e72

Link to source code change log:
https://github.com/bblanchon/ArduinoJson/blob/master/CHANGELOG.md

Link to bug entry:
https://github.com/bblanchon/ArduinoJson/pull/81

Thanks in advance,


Giancarlo Canales Barreto

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted JSON strings Giancarlo Canales (Jun 10)
- Re: CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted JSON strings Giancarlo Canales (Jun 15)
- Re: CVE ID Request: Buffer overflow in ArduinoJson when parsing crafted JSON strings cve-assign (Jun 16)