Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830373 (CVE-2021-45958)

Summary: dev-python/ujson: stack-based buffer overflow
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: mgorny, python, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/google/oss-fuzz/issues/7677
Whiteboard: B3 [upstream]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:18:04 UTC 
CVE-2021-45958 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml):

UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 04:35:47 UTC 
Note that I can't seem to find an upstream reference to this.

The linked YAML file from Google says:
>    - introduced: a920bfa9d85bcd78836b866d1be80c1e3dcca1da
>    - fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
... but I don't see that fixed commit anywhere.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 11:29:11 UTC 
FWICS all the new versions of ujson have been added to that YAML, so probably it wasn't ever fixed.  Looking at the link found at the issue tracker:

https://github.com/ultrajson/ultrajson/compare/e3ccc5a1ff945275106d9323c00683fafeffc04a...682c6601569980e9a8a05378d3c1478db30384bc

I'm guessing that the problem has been swept under the rug by stripping executables.