830373 – (CVE-2021-45958) dev-python/ujson: stack-based buffer overflow

Bug 830373 (CVE-2021-45958) - dev-python/ujson: stack-based buffer overflow

Summary: dev-python/ujson: stack-based buffer overflow

Status:	CONFIRMED

Alias:	CVE-2021-45958

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2022-01-01 02:18 UTC by Sam James
Modified:	2022-05-10 15:57 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/google/oss-fuzz/issues/7677
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-01-01 02:18:04 UTC

CVE-2021-45958 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml):

UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).

Comment 1 Sam James archtester

2022-01-01 04:35:47 UTC

Note that I can't seem to find an upstream reference to this.

The linked YAML file from Google says:
>    - introduced: a920bfa9d85bcd78836b866d1be80c1e3dcca1da
>    - fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
... but I don't see that fixed commit anywhere.

Comment 2 Michał Górny archtester

2022-05-06 11:29:11 UTC

FWICS all the new versions of ujson have been added to that YAML, so probably it wasn't ever fixed.  Looking at the link found at the issue tracker:

https://github.com/ultrajson/ultrajson/compare/e3ccc5a1ff945275106d9323c00683fafeffc04a...682c6601569980e9a8a05378d3c1478db30384bc

I'm guessing that the problem has been swept under the rug by stripping executables.