CVE-2020-12762

Publication date 9 May 2020

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
json-c	20.04 LTS focal	Fixed 0.13.1+dfsg-7ubuntu0.3
	19.10 eoan	Fixed 0.13.1+dfsg-4ubuntu0.3
	18.04 LTS bionic	Fixed 0.12.1-1.3ubuntu0.3
	16.04 LTS xenial	Fixed 0.11-4ubuntu2.6
	14.04 LTS trusty	Fixed 0.11-3ubuntu1.2+esm3

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

USN-4360-1 introduced a regression and the problematic fix was backed out in USN-4360-2 and USN-4360-3 pending further investigation.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
json-c	Upstream: https://github.com/json-c/json-c/pull/592/commits/099016b7e8d70a6d5dd814e788bba08d33d48426 Upstream: https://github.com/json-c/json-c/pull/592/commits/77d935b7ae7871a1940cd827e850e6063044ec45 Upstream: https://github.com/json-c/json-c/pull/592/commits/d07b91014986900a3a75f306d302e13e005e9d67 Upstream: 7a4807f

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H