Bug 31332

Summary: python-ujson new security issue fixed upstream in 5.6.0
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-ujson-5.4.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-12-27 17:13:09 CET 
Fedora has issued an advisory on December 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MJ66UZLJXIEOD5Q74IZKQQRWAPPFG6T7/

Mageia 8 is also affected.
Comment 1 David Walser 2022-12-27 17:15:04 CET 
python-ujson-5.6.0-1.mga9 building for Cauldron.

Version: Cauldron => 8
Source RPM: python-ujson-5.5.0-1.mga9.src.rpm => python-ujson-5.4.0-1.mga8.src.rpm

Comment 2 Lewis Smith 2022-12-27 20:31:44 CET 
It is done, and thank you for doing it.
Can the bug be closed fixed?

The best I can find for the error is in the Github link:
 https://github.com/ultrajson/ultrajson/pull/570
in the Fedora link above.
"Ultrajson doesn't build on webassembly (e.g. pyodide) because the version of double-conversion used is too old. This updates it to a newer version which supports webassembly."

CC: (none) => lewyssmith

Comment 3 David Walser 2022-12-27 21:01:24 CET 
Only Cauldron is fixed, not Mageia 8.
Comment 4 Lewis Smith 2022-12-27 21:45:41 CET 
Sorry...

As this is a straight version upgrade, assigning to papoteur as you did previous version updates for 'python-ujson'.

CC: lewyssmith => (none)
Assignee: bugsquad => yves.brungard_mageia

Comment 5 papoteur 2022-12-27 23:38:41 CET 
advisory
=========
Update to 5.6.0. Updating double-conversion bundled
(https://github.com/ultrajson/ultrajson/pull/570).
=============

Build python3-ujson-5.6.0-1.mga8
From python-ujson-5.6.0-1.mga8.src.rpm

Assignee: yves.brungard_mageia => qa-bugs

David Walser 2022-12-28 00:05:59 CET

CC: (none) => yves.brungard_mageia

Comment 6 papoteur 2022-12-28 09:35:54 CET 
Hi David,
I see in Fedora report:
>Update to 5.6.0 (close RHBZ#2149975). Fixes len integer overflow issue
But I did find any other reference about this overflow issue, neither in python-ujson pull request, nor in double-conversion release.
Comment 7 Herman Viaene 2022-12-28 15:58:48 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 30502 and bug 30663 for test
$ python3 testujson.py
a type: <class 'dict'>
b variable: <class 'str'>
{"name":"Horseman","age":"21","city":"Mumbai"}
{
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
}
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}
Seems OK to me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2022-12-28 17:48:54 CET 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-30 21:58:39 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-12-30 23:40:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0487.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED