Ubuntu

Buffer overrun in encode_string

Reported by Matt Giuca on 2010-05-25
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cjson (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

Binary package hint: python-cjson

There is a buffer overrun in cjson 1.0.5, on UCS4 builds. The string length is only resized for wide unicode characters if there is less than 12 bytes of space left. Padding with narrow-but-escaped characters prevents string resizing.

The following line exhibits the overrun (it *may* segfault or display garbage, etc):
>>> cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E\u1234\u1234\u1234\u1234\u1234\u1234')
(u'\U0001D11E\u1234' also breaks, but sometimes goes undetected.)

I've attached a Bazaar merge directive against lp:ubuntu/hardy/python-cjson as a potential security vulnerability, and will also send the patch upstream.

Matt Giuca (mgiuca) wrote :

By the way, this seems to affect all versions of cjson (at least on all supported Ubuntu versions). I patched against Hardy, being the oldest supported version -- not sure if I was supposed to patch against Maverick instead, but I expect this will be applied to all supported versions, right?

Matt Giuca (mgiuca) wrote :

OK I've talked to wgrant and he explained how to submit a security patch -- I've now attached three patches (one for hardy, one for jaunty and one for karmic which should merge into lucid and maverick), and each patch also updates the debian/changelog. Ignore the original patch.

Also note that I am aware that my test case reinforces the incorrect behaviour of encoding \U00xxxxxx (should encode to surrogate pairs). I have created a separate patch for this and will send it upstream.

Matt Giuca (mgiuca) wrote :

Did a better job of the changelog -- fixed version numbers to 1.0.5-1ubuntu0.1 and 1.0.5-2ubuntu0.1 respectively, and set release to -security.

Attached new versions of the three patches (hardy, jaunty and karmic).

Matt Giuca (mgiuca) wrote :
Matt Giuca (mgiuca) wrote :
Jamie Strandboge (jdstrand) wrote :

Thanks for your patch! In the future can you please follow https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors? This went unnoticed for a little while because ubuntu-security-sponsors was not subscribed. I've done that now.

Changed in python-cjson (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Matt, can you also give a link to the upstream report and/or commit?

Matt Giuca (mgiuca) wrote :

Hi Jamie,
Ah thanks for that advice. I was wondering if I was missing out on informing someone.

Unfortunately, I can't give a link to the upstream report because as far as I can tell, there is no upstream bug tracker or source tree for cjson. I based my patch on the version 1.0.5 release (http://pypi.python.org/pypi/python-cjson), and by "sent upstream", I meant I emailed the patches to the author, Dan Pascu <email address hidden>. I haven't heard a reply from him in two weeks.

The Ubuntu/Debian package seems to be derived from this same public release (as there is 0 diff between the public release code and the source package's code).

Jamie Strandboge (jdstrand) wrote :

Ok, since upstream is unresponsive, I will need to coordinate this with vendors then.

Jamie Strandboge (jdstrand) wrote :

Sent email to vendor-sec with Matt CC'd requesting a CRD of 2010-06-16.

Matt Giuca (mgiuca) wrote :

Hi. I'm not familiar with the security procedures, but I wanted to check what's happening with this bug. There was a suggested CRD of 2010-06-16 (two days ago), and on the mailing list it was assigned a CVE number. As far as I can tell, nothing happened and the patch doesn't seem to have been reviewed.

I haven't dealt with a security vulnerability before, so I don't know if this is unusual or not.

Also, should the Launchpad bug report be linked to the CVE given on the mailing list, or is that only after the bug is disclosed?

Jamie Strandboge (jdstrand) wrote :

I plan to make this bug public, upload your fixes to the security ppa today and publish your fixes on Monday. Thanks for following up.

Jamie Strandboge (jdstrand) wrote :

Matt,

FYI, I had to update the debdiffs to use versions that comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. This is needed to ensure smoothe upgrades.

Changed in python-cjson (Ubuntu Lucid):
status: New → In Progress
Changed in python-cjson (Ubuntu Maverick):
status: Confirmed → In Progress
Changed in python-cjson (Ubuntu Hardy):
status: New → In Progress
Changed in python-cjson (Ubuntu Jaunty):
status: New → In Progress
Changed in python-cjson (Ubuntu Karmic):
status: New → In Progress
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Marking the bug as public.

Changed in python-cjson (Ubuntu Maverick):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu1

---------------
python-cjson (1.0.5-2ubuntu1) maverick; urgency=low

  [ Matt Giuca ]
  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:45:38 -0500

Changed in python-cjson (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in python-cjson (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in python-cjson (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in python-cjson (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in python-cjson (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.10.04.1

---------------
python-cjson (1.0.5-2ubuntu0.10.04.1) lucid-security; urgency=low

  [ Matt Giuca ]
  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:07:12 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.9.10.1

---------------
python-cjson (1.0.5-2ubuntu0.9.10.1) karmic-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.9.04.1

---------------
python-cjson (1.0.5-1ubuntu0.9.04.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.8.04.1

---------------
python-cjson (1.0.5-1ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
    unicode characters on UCS4 builds (LP: #585274)
    - CVE-2010-1666
 -- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000

Changed in python-cjson (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in python-cjson (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in python-cjson (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in python-cjson (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers