libjson-c: backport security fixes

[robimarko]

This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: json-c/json-c#592

It currently breaks LuCI in a sense that Session expired popup will constantly pop up and you can't log in because of it.

There are no errors in logread about it, but since I don't know anything about LuCI can somebody look at it?

Signed-off-by: Robert Marko robert.marko@sartura.hr
Signed-off-by: Luka Perkov luka.perkov@sartura.h

[jow-]

Seems your backported patches appear to lack at least upstream commit json-c/json-c@519dfe1 - means adding more than 11 objects to a JSON structure fails, that likely explain the LuCI problem and will probably cause other subtle issues elsewhere in the system.

Is there any reason why we cannot await a proper upstream release?

[robimarko]

Well, this vulnerability allows for writes outside of allocated memory so we wanted to patch that ASAP.
I will take a log at the commit history to see what's missing after these commits.

Well, upstream is really slow with making new releases.
They recently did 0.14 release, but it needs some work as they switched to CMake only.

[jow-]

Is there a CVE reference yet?

[lperkov]

Yes, CVE-2020-12762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12762

[jow-]

Thanks @lperkov. @robimarko - can you add a CVE reference to your commit message? Something like Addresses CVE-2020-12762 or CVE-ID: CVE-2020-12762

[robimarko]

@jow- I have added the CVE reference in the commit message.
Also, backporting the commit linked by you has fixed LuCI.
I took a look at the json-c history and its the only bugfix needed.

I will take a look at updating to 0.14 soon.

[jow-]

Pulled into my staging tree at https://git.openwrt.org/openwrt/staging/jow.git