Bug 31332 - python-ujson new security issue fixed upstream in 5.6.0
Summary: python-ujson new security issue fixed upstream in 5.6.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-27 17:13 CET by David Walser
Modified: 2022-12-30 23:40 CET (History)
5 users (show)

See Also:
Source RPM: python-ujson-5.4.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-12-27 17:13:09 CET
Fedora has issued an advisory on December 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MJ66UZLJXIEOD5Q74IZKQQRWAPPFG6T7/

Mageia 8 is also affected.
Comment 1 David Walser 2022-12-27 17:15:04 CET
python-ujson-5.6.0-1.mga9 building for Cauldron.

Version: Cauldron => 8
Source RPM: python-ujson-5.5.0-1.mga9.src.rpm => python-ujson-5.4.0-1.mga8.src.rpm

Comment 2 Lewis Smith 2022-12-27 20:31:44 CET
It is done, and thank you for doing it.
Can the bug be closed fixed?

The best I can find for the error is in the Github link:
 https://github.com/ultrajson/ultrajson/pull/570
in the Fedora link above.
"Ultrajson doesn't build on webassembly (e.g. pyodide) because the version of double-conversion used is too old. This updates it to a newer version which supports webassembly."

CC: (none) => lewyssmith

Comment 3 David Walser 2022-12-27 21:01:24 CET
Only Cauldron is fixed, not Mageia 8.
Comment 4 Lewis Smith 2022-12-27 21:45:41 CET
Sorry...

As this is a straight version upgrade, assigning to papoteur as you did previous version updates for 'python-ujson'.

CC: lewyssmith => (none)
Assignee: bugsquad => yves.brungard_mageia

Comment 5 papoteur 2022-12-27 23:38:41 CET
advisory
=========
Update to 5.6.0. Updating double-conversion bundled
(https://github.com/ultrajson/ultrajson/pull/570).
=============

Build python3-ujson-5.6.0-1.mga8
From python-ujson-5.6.0-1.mga8.src.rpm

Assignee: yves.brungard_mageia => qa-bugs

David Walser 2022-12-28 00:05:59 CET

CC: (none) => yves.brungard_mageia

Comment 6 papoteur 2022-12-28 09:35:54 CET
Hi David,
I see in Fedora report:
>Update to 5.6.0 (close RHBZ#2149975). Fixes len integer overflow issue
But I did find any other reference about this overflow issue, neither in python-ujson pull request, nor in double-conversion release.
Comment 7 Herman Viaene 2022-12-28 15:58:48 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 30502 and bug 30663 for test
$ python3 testujson.py
a type: <class 'dict'>
b variable: <class 'str'>
{"name":"Horseman","age":"21","city":"Mumbai"}
{
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
}
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}
Seems OK to me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2022-12-28 17:48:54 CET
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-30 21:58:39 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-12-30 23:40:50 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0487.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.