Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760687 (CVE-2020-22083) - dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)
Summary: dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)
Status: RESOLVED INVALID
Alias: CVE-2020-22083
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/jsonpickle/jsonpic...
Whiteboard: B1 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-19 02:54 UTC by John Helmert III
Modified: 2020-12-19 11:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-12-19 02:54:56 UTC
CVE-2020-22083 (https://github.com/jsonpickle/jsonpickle/issues/332):

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.


Contrary to the CVE description I've tested 1.4.2 and it's vulnerable too.  Unfortunately upstream doesn't think this is an issue and just suggests only deserializing trusted data.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 08:43:41 UTC
So what am I supposed to do about it?
Comment 2 John Helmert III gentoo-dev Security 2020-12-19 08:52:02 UTC
(In reply to Michał Górny from comment #1)
> So what am I supposed to do about it?

Nothing for you to do that I can see
Comment 3 Sam James archtester gentoo-dev Security 2020-12-19 11:24:51 UTC
In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers.