Fedora has issued an advisory today (June 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3GHJVC47JEGKA6UDB2UE57K2NMY57RH/ It doesn't explicitly say what the security issues, but perhaps it's the segfaults: https://github.com/ultrajson/ultrajson/releases/tag/5.3.0 Mageia 8 is also affected.
CC: (none) => yves.brungard_mageiaWhiteboard: (none) => MGA8TOO
Update available to 5.3.0 python3-ujson-5.3.0-1.mga8 Source: python-ujson-5.3.0-1.mga8.src.rpm
Assignee: python => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenvo B50 in Dutch No installation issues. Tried the commands from Len in bug30106 with results I don't know what to do with it: $ python3 -c 'import ujson; ujson.dumps({"a": None, "b": "\x00" * 10920})' [...] no feedback given $ python3 -c 'import ujson; print(ujson.encode({"a": True}, indent=65539))' [...] { and a number of blank lines with on the last one: "a": true } Googled for examples and found https://www.codespeedy.com/ujson-python/ I tried the first example (will upload the file) and got nowhere: $ python3 ujson.py a type: <class 'dict'> Traceback (most recent call last): File "ujson.py", line 1, in <module> import ujson File "/home/tester8/Documents/ujson.py", line 4, in <module> b=ujson.dumps(a) AttributeError: partially initialized module 'ujson' has no attribute 'dumps' (most likely due to a circular import)
CC: (none) => herman.viaene
Created attachment 13290 [details] ujson example
@Herman regarding comment 2: The initial commands from the previous bug tested the issues raised in the CVEs for that bug so probably have little relevance to this bug. Now, before updating version 5.2.0-1: When the script you uploaded is dumped into an interactive python session the ujson module works as expected AFAICS. $ python Python 3.8.12 (default, Sep 12 2021, 19:57:22) [GCC 10.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ujson >>> a = {"name":"Horseman", "age": "21", "city": "Mumbai"} >>> print("a type:", type(a)) a type: <class 'dict'> >>> b=ujson.dumps(a) >>> b1=ujson.dumps(a, indent=4) >>> print("b variable:", type(b)) b variable: <class 'str'> >>> print(b) {"name":"Horseman","age":"21","city":"Mumbai"} >>> print(b1) { "name": "Horseman", "age": "21", "city": "Mumbai" } >>> c = ujson.loads(b) >>> print("c variable:", type(c)) c variable: <class 'dict'> >>> print(c) {'name': 'Horseman', 'age': '21', 'city': 'Mumbai'} After updating the package the result looks the same. $ ./test_ujson.py a type: <class 'dict'> b variable: <class 'str'> {"name":"Horseman","age":"21","city":"Mumbai"} { "name": "Horseman", "age": "21", "city": "Mumbai" } c variable: <class 'dict'> {'name': 'Horseman', 'age': '21', 'city': 'Mumbai'} Cannot figure out why your test produced that error "AttributeError...."
CC: (none) => tarazed25
Hello, I registered the file test.py, then: python3 test.py a type: <class 'dict'> b variable: <class 'str'> {"name":"Horseman","age":"21","city":"Mumbai"} { "name": "Horseman", "age": "21", "city": "Mumbai" } c variable: <class 'dict'> {'name': 'Horseman', 'age': '21', 'city': 'Mumbai'} [yves@YZenbook python-black]$ rpm -q python3-ujson python3-ujson-5.3.0-1.mga8 The error occurs because of the name you gave: ujson.py "Generally, the Python Circular Import problem occurs when you accidentally name your working file the same as the module name and those modules depend on each other. This way the python opens the same file which causes a circular loop and eventually throws an error."
Of course; that was why I used test_ujson. Paid little attention to the name of the uploaded file and used copy & paste from the attachment. @Herman: Looked for python buildstream online - it is somewhat intimidating. "BuildStream provides traceability and reproducibility for integrators handling stacks of hundreds/thousands of components, as well as workspace features and shortcuts to minimise cycle-time for developers. Fast and predictable BuildStream can cache previous builds and track changes to source file content and build/config commands." We actually do have it in Mageia 8. There are 517 related packages installed here. I guess we give it a miss.
@Herman - hoping you have no objections to passing this on.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0222.html
Status: NEW => RESOLVEDResolution: (none) => FIXED