On Mon, Feb 07, 2022 at 08:48:13PM +0100, Salvatore Bonaccorso wrote: > Source: ujson > Version: 5.1.0-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/ultrajson/ultrajson/issues/502 > https://github.com/ultrajson/ultrajson/issues/501 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 4.0.2-1 > Control: found -1 1.35-3 > > Hi, > > The following vulnerability was published for ujson. > > CVE-2021-45958[0]: > | ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_ > | cve_entry">DISPUTED</A> ** UltraJSON (aka ujson) 4.0.2 through 5.0.0 > | has a stack-based buffer overflow in Buffer_AppendIndentUnchecked > | (called from encode). NOTE: multiple third parties dispute whether > | this is a confirmed finding, because the event that caused the > | Reproducer Testcase to stop indicating a buffer overflow was a change > | to the AFLplusplus project (5525f8c9ef8bb879dadd0eb942d524827d1b0362), > | not a change to the UltraJSON project.
Just some context: The CVE was initially disputed since it was not quite clear if this is a flaw in ujson and later just not triggered anymore or if an issue in the AFL++ fuzzer. Upstream issues 501 and 502 though give more details and as well information on how to reproduce. Regards, Salvatore
