Hi, On Mon, Feb 07, 2022 at 08:55:00PM +0100, Salvatore Bonaccorso wrote: > On Mon, Feb 07, 2022 at 08:48:13PM +0100, Salvatore Bonaccorso wrote: > > Source: ujson > > Version: 5.1.0-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/ultrajson/ultrajson/issues/502 > > https://github.com/ultrajson/ultrajson/issues/501 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Control: found -1 4.0.2-1 > > Control: found -1 1.35-3 > > > > Hi, > > > > The following vulnerability was published for ujson. > > > > CVE-2021-45958[0]: > > | ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_ > > | cve_entry">DISPUTED</A> ** UltraJSON (aka ujson) 4.0.2 through 5.0.0 > > | has a stack-based buffer overflow in Buffer_AppendIndentUnchecked > > | (called from encode). NOTE: multiple third parties dispute whether > > | this is a confirmed finding, because the event that caused the > > | Reproducer Testcase to stop indicating a buffer overflow was a change > > | to the AFLplusplus project (5525f8c9ef8bb879dadd0eb942d524827d1b0362), > > | not a change to the UltraJSON project. > > Just some context: The CVE was initially disputed since it was not > quite clear if this is a flaw in ujson and later just not triggered > anymore or if an issue in the AFL++ fuzzer. Upstream issues 501 and > 502 though give more details and as well information on how to > reproduce.
Upstream has addressed this issue by means of https://github.com/ultrajson/ultrajson/pull/519 . Regards, Salvatore
