Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830373 (CVE-2021-45958) - dev-python/ujson: stack-based buffer overflow
Summary: dev-python/ujson: stack-based buffer overflow
Alias: CVE-2021-45958
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream]
Depends on:
Reported: 2022-01-01 02:18 UTC by Sam James
Modified: 2022-05-10 15:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:18:04 UTC
CVE-2021-45958 (

UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 04:35:47 UTC
Note that I can't seem to find an upstream reference to this.

The linked YAML file from Google says:
>    - introduced: a920bfa9d85bcd78836b866d1be80c1e3dcca1da
>    - fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
... but I don't see that fixed commit anywhere.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 11:29:11 UTC
FWICS all the new versions of ujson have been added to that YAML, so probably it wasn't ever fixed.  Looking at the link found at the issue tracker:

I'm guessing that the problem has been swept under the rug by stripping executables.