| Summary: | python-ujson new security issue CVE-2021-45958 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, marja11, sysadmin-bugs, tarazed25, yvesbrungard |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-ujson-4.0.2-2.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-03-02 20:33:46 CET
David Walser
2022-03-02 20:33:54 CET
Whiteboard:
(none) =>
MGA8TOO
Marja Van Waes
2022-03-02 22:19:52 CET
Assignee:
bugsquad =>
python Fedora has issued an advisory for this on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DGMNYDS6YXY3YKK2GES4V5ZN5S4HX74/ The issue is fixed upstream in 5.1.0: https://github.com/advisories/GHSA-fh56-85cw-5pq6 Status comment:
(none) =>
Fixed upstream in 5.1.0 Update to 5.2.0 by papoteur submitted for Mageia 8 and Cauldron. Mageia 8 RPM: python3-ujson-5.2.0-1.mga8 from python-ujson-5.2.0-1.mga8.src.rpm CC:
(none) =>
yves.brungard_mageia The CVE reports segfault when using commands like:
python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})'
python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))'
python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])'
However, I don't reproduce any of them.
I think it should be enough to check that these commands are still OK.
For information, this module is used in:
buildstream
python3-autobahn
python3-jsonrpc-server
python3-language-server
and python3-autobahn in buildbot-master
Advisory: ================== CVE-2021-45958 UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. ================== Mageia8, x86_64
Installed thecore version, 3....
All three test commands generate segfaults with terminal output similar to the following; there is a lot of it.
$ python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])'
200
b'<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8".......
0,0.08)\\x22,\\x22sbpl\\x22:16,\\x22sbpr\\x22:16,\\x22scd\\x22:10,\\x22stok\\x22:\\x22nXuL3UnbhGT18Y6w1O8RnK7_jtE\\x22,\\x22uhde\\x22:false}}\';google.pmc=JSON.parse(pmc);})();</script> </body></html>'
Segmentation fault (core dumped)
Updated to the testing version and ran the PoC commands again:
$ python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})'
[...]
File "<string>", line 1, in <module>
AttributeError: module 'decimal' has no attribute 'Decimal'
$ python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))'
[...]
File "<string>", line 1, in <module>
AttributeError: module 'decimal' has no attribute 'Decimal'
$ python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])'
File "<string>", line 1, in <module>
AttributeError: module 'decimal' has no attribute 'Decimal'
So the update traps the exploits cleanly.
Installed buildstream.
From /usr/share/doc/buildstream/README.rst :
BuildStream is a Free Software tool for building/integrating software stacks.
....
How does BuildStream work?
==========================
BuildStream operates on a set of YAML files (.bst files), as follows:
That's enough of that. Out of my/our league.
Clean installation and the PoC show that the vulnerabilities are handled fine.CC:
(none) =>
tarazed25 Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-05-11 23:22:02 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0169.html Status:
NEW =>
RESOLVED |