Debian-LTS has issued an advisory on March 1: https://www.debian.org/lts/security/2022/dla-2929 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => pythonCC: (none) => marja11
Fedora has issued an advisory for this on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DGMNYDS6YXY3YKK2GES4V5ZN5S4HX74/ The issue is fixed upstream in 5.1.0: https://github.com/advisories/GHSA-fh56-85cw-5pq6
Status comment: (none) => Fixed upstream in 5.1.0
Update to 5.2.0 by papoteur submitted for Mageia 8 and Cauldron. Mageia 8 RPM: python3-ujson-5.2.0-1.mga8 from python-ujson-5.2.0-1.mga8.src.rpm
CC: (none) => yves.brungard_mageiaWhiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: python => qa-bugsStatus comment: Fixed upstream in 5.1.0 => (none)
The CVE reports segfault when using commands like: python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})' python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))' python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])' However, I don't reproduce any of them. I think it should be enough to check that these commands are still OK. For information, this module is used in: buildstream python3-autobahn python3-jsonrpc-server python3-language-server and python3-autobahn in buildbot-master
Advisory: ================== CVE-2021-45958 UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. ==================
Mageia8, x86_64 Installed thecore version, 3.... All three test commands generate segfaults with terminal output similar to the following; there is a lot of it. $ python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])' 200 b'<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8"....... 0,0.08)\\x22,\\x22sbpl\\x22:16,\\x22sbpr\\x22:16,\\x22scd\\x22:10,\\x22stok\\x22:\\x22nXuL3UnbhGT18Y6w1O8RnK7_jtE\\x22,\\x22uhde\\x22:false}}\';google.pmc=JSON.parse(pmc);})();</script> </body></html>' Segmentation fault (core dumped) Updated to the testing version and ran the PoC commands again: $ python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})' [...] File "<string>", line 1, in <module> AttributeError: module 'decimal' has no attribute 'Decimal' $ python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))' [...] File "<string>", line 1, in <module> AttributeError: module 'decimal' has no attribute 'Decimal' $ python3 -c 'import ujson; ujson.dumps(["aaaa", "\x00" * 10921])' File "<string>", line 1, in <module> AttributeError: module 'decimal' has no attribute 'Decimal' So the update traps the exploits cleanly. Installed buildstream. From /usr/share/doc/buildstream/README.rst : BuildStream is a Free Software tool for building/integrating software stacks. .... How does BuildStream work? ========================== BuildStream operates on a set of YAML files (.bst files), as follows: That's enough of that. Out of my/our league. Clean installation and the PoC show that the vulnerabilities are handled fine.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0169.html
Status: NEW => RESOLVEDResolution: (none) => FIXED