Bug 30502 - python-ujson possible security issues fixed upstream in 5.3.0
Summary: python-ujson possible security issues fixed upstream in 5.3.0
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-06-02 01:35 CEST by David Walser
Modified: 2022-06-09 22:50 CEST (History)
6 users (show)

See Also:
Source RPM: python-ujson-5.2.0-1.mga8.src.rpm
Status comment:

ujson example (247 bytes, text/plain)
2022-06-04 20:40 CEST, Herman Viaene

Description David Walser 2022-06-02 01:35:42 CEST
Fedora has issued an advisory today (June 1):

It doesn't explicitly say what the security issues, but perhaps it's the segfaults:

Mageia 8 is also affected.
David Walser 2022-06-02 01:36:05 CEST

CC: (none) => yves.brungard_mageia
Whiteboard: (none) => MGA8TOO

Comment 1 papoteur 2022-06-02 12:47:48 CEST
Update available to 5.3.0



Assignee: python => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Herman Viaene 2022-06-04 20:40:19 CEST
MGA8-64 Plasma on Lenvo B50 in Dutch
No installation issues.
Tried the commands from Len in bug30106 with results I don't know what to do with it:
$  python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})' [...]
no feedback given
$ python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))' [...]
and a number of blank lines with on the last one:
                                                                                                                  "a": true
Googled for examples and found https://www.codespeedy.com/ujson-python/
I tried the first example (will upload the file) and got nowhere:
$ python3 ujson.py 
a type: <class 'dict'>
Traceback (most recent call last):
  File "ujson.py", line 1, in <module>
    import ujson
  File "/home/tester8/Documents/ujson.py", line 4, in <module>
AttributeError: partially initialized module 'ujson' has no attribute 'dumps' (most likely due to a circular import)

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2022-06-04 20:40:56 CEST
Created attachment 13290 [details]
ujson example
Comment 4 Len Lawrence 2022-06-05 01:48:12 CEST
@Herman regarding comment 2:
The initial commands from the previous bug tested the issues raised in the CVEs for that bug so probably have little relevance to this bug.

Now, before updating version 5.2.0-1:
When the script you uploaded is dumped into an interactive python session the ujson module works as expected AFAICS.
$ python
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ujson
>>> a = {"name":"Horseman", "age": "21", "city": "Mumbai"}
>>> print("a type:", type(a))
a type: <class 'dict'>
>>> b=ujson.dumps(a)
>>> b1=ujson.dumps(a, indent=4)
>>> print("b variable:", type(b))
b variable: <class 'str'>
>>> print(b)
>>> print(b1)
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
>>> c = ujson.loads(b)
>>> print("c variable:", type(c))
c variable: <class 'dict'>
>>> print(c) 
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}

After updating the package the  result looks the same.
$ ./test_ujson.py 
a type: <class 'dict'>
b variable: <class 'str'>
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}

Cannot figure out why your test produced that error "AttributeError...."

CC: (none) => tarazed25

Comment 5 papoteur 2022-06-05 08:13:43 CEST
I registered the file test.py, then:
python3 test.py 
a type: <class 'dict'>
b variable: <class 'str'>
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}
[yves@YZenbook python-black]$ rpm -q python3-ujson

The error occurs because of the name you gave: ujson.py
"Generally, the Python Circular Import problem occurs when you accidentally name your working file the same as the module name and those modules depend on each other. This way the python opens the same file which causes a circular loop and eventually throws an error."
Comment 6 Len Lawrence 2022-06-05 17:53:32 CEST
Of course; that was why I used test_ujson.  Paid little attention to the name of the uploaded file and used copy & paste from the attachment.

Looked for python buildstream online - it is somewhat intimidating.
"BuildStream provides traceability and reproducibility for integrators handling stacks of hundreds/thousands of components, as well as workspace features and shortcuts to minimise cycle-time for developers. Fast and predictable BuildStream can cache previous builds and track changes to source file content and build/config commands."

We actually do have it in Mageia 8.  There are 517 related packages installed here.  I guess we give it a miss.
Comment 7 Len Lawrence 2022-06-08 15:12:12 CEST
@Herman - hoping you have no objections to passing this on.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-06-09 21:21:41 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-09 21:28:20 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-06-09 22:50:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.