Buffer overrun in encode_string

By the way, this seems to affect all versions of cjson (at least on all supported Ubuntu versions). I patched against Hardy, being the oldest supported version -- not sure if I was supposed to patch against Maverick instead, but I expect this will be applied to all supported versions, right?

OK I've talked to wgrant and he explained how to submit a security patch -- I've now attached three patches (one for hardy, one for jaunty and one for karmic which should merge into lucid and maverick), and each patch also updates the debian/changelog. Ignore the original patch.

Also note that I am aware that my test case reinforces the incorrect behaviour of encoding \U00xxxxxx (should encode to surrogate pairs). I have created a separate patch for this and will send it upstream.

Did a better job of the changelog -- fixed version numbers to 1.0.5-1ubuntu0.1 and 1.0.5-2ubuntu0.1 respectively, and set release to -security.

Attached new versions of the three patches (hardy, jaunty and karmic).

Thanks for your patch! In the future can you please follow https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors? This went unnoticed for a little while because ubuntu-security-sponsors was not subscribed. I've done that now.

Matt, can you also give a link to the upstream report and/or commit?

Hi Jamie,
Ah thanks for that advice. I was wondering if I was missing out on informing someone.

Unfortunately, I can't give a link to the upstream report because as far as I can tell, there is no upstream bug tracker or source tree for cjson. I based my patch on the version 1.0.5 release (http://pypi.python.org/pypi/python-cjson), and by "sent upstream", I meant I emailed the patches to the author, Dan Pascu <email address hidden>. I haven't heard a reply from him in two weeks.

The Ubuntu/Debian package seems to be derived from this same public release (as there is 0 diff between the public release code and the source package's code).

Ok, since upstream is unresponsive, I will need to coordinate this with vendors then.

Sent email to vendor-sec with Matt CC'd requesting a CRD of 2010-06-16.

Hi. I'm not familiar with the security procedures, but I wanted to check what's happening with this bug. There was a suggested CRD of 2010-06-16 (two days ago), and on the mailing list it was assigned a CVE number. As far as I can tell, nothing happened and the patch doesn't seem to have been reviewed.

I haven't dealt with a security vulnerability before, so I don't know if this is unusual or not.

Also, should the Launchpad bug report be linked to the CVE given on the mailing list, or is that only after the bug is disclosed?

I plan to make this bug public, upload your fixes to the security ppa today and publish your fixes on Monday. Thanks for following up.

Matt,

FYI, I had to update the debdiffs to use versions that comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. This is needed to ensure smoothe upgrades.

Marking the bug as public.

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu1

---------------
python-cjson (1.0.5-2ubuntu1) maverick; urgency=low

  [ Matt Giuca ]
  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:45:38 -0500

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.10.04.1

---------------
python-cjson (1.0.5-2ubuntu0.10.04.1) lucid-security; urgency=low

  [ Matt Giuca ]
  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:07:12 -0500

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.9.10.1

---------------
python-cjson (1.0.5-2ubuntu0.9.10.1) karmic-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000

This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.9.04.1

---------------
python-cjson (1.0.5-1ubuntu0.9.04.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000

This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.8.04.1

---------------
python-cjson (1.0.5-1ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000