Buffer overrun in encode_string
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | python-cjson (Ubuntu) |
Undecided
|
Unassigned | ||
| | Hardy |
Undecided
|
Unassigned | ||
| | Jaunty |
Undecided
|
Unassigned | ||
| | Karmic |
Undecided
|
Unassigned | ||
| | Lucid |
Undecided
|
Unassigned | ||
| | Maverick |
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: python-cjson
There is a buffer overrun in cjson 1.0.5, on UCS4 builds. The string length is only resized for wide unicode characters if there is less than 12 bytes of space left. Padding with narrow-but-escaped characters prevents string resizing.
The following line exhibits the overrun (it *may* segfault or display garbage, etc):
>>> cjson.encode(
(u'\U0001D11E\
I've attached a Bazaar merge directive against lp:ubuntu/hardy/python-cjson as a potential security vulnerability, and will also send the patch upstream.
| Matt Giuca (mgiuca) wrote : | #2 |
| Matt Giuca (mgiuca) wrote : | #3 |
OK I've talked to wgrant and he explained how to submit a security patch -- I've now attached three patches (one for hardy, one for jaunty and one for karmic which should merge into lucid and maverick), and each patch also updates the debian/changelog. Ignore the original patch.
Also note that I am aware that my test case reinforces the incorrect behaviour of encoding \U00xxxxxx (should encode to surrogate pairs). I have created a separate patch for this and will send it upstream.
| Matt Giuca (mgiuca) wrote : | #6 |
Did a better job of the changelog -- fixed version numbers to 1.0.5-1ubuntu0.1 and 1.0.5-2ubuntu0.1 respectively, and set release to -security.
Attached new versions of the three patches (hardy, jaunty and karmic).
| Matt Giuca (mgiuca) wrote : | #7 |
| Matt Giuca (mgiuca) wrote : | #8 |
| Jamie Strandboge (jdstrand) wrote : | #9 |
Thanks for your patch! In the future can you please follow https:/
| Jamie Strandboge (jdstrand) wrote : | #10 |
Matt, can you also give a link to the upstream report and/or commit?
| Matt Giuca (mgiuca) wrote : | #11 |
Hi Jamie,
Ah thanks for that advice. I was wondering if I was missing out on informing someone.
Unfortunately, I can't give a link to the upstream report because as far as I can tell, there is no upstream bug tracker or source tree for cjson. I based my patch on the version 1.0.5 release (http://
The Ubuntu/Debian package seems to be derived from this same public release (as there is 0 diff between the public release code and the source package's code).
| Jamie Strandboge (jdstrand) wrote : | #12 |
Ok, since upstream is unresponsive, I will need to coordinate this with vendors then.
| Jamie Strandboge (jdstrand) wrote : | #13 |
Sent email to vendor-sec with Matt CC'd requesting a CRD of 2010-06-16.
| Matt Giuca (mgiuca) wrote : | #14 |
Hi. I'm not familiar with the security procedures, but I wanted to check what's happening with this bug. There was a suggested CRD of 2010-06-16 (two days ago), and on the mailing list it was assigned a CVE number. As far as I can tell, nothing happened and the patch doesn't seem to have been reviewed.
I haven't dealt with a security vulnerability before, so I don't know if this is unusual or not.
Also, should the Launchpad bug report be linked to the CVE given on the mailing list, or is that only after the bug is disclosed?
| Jamie Strandboge (jdstrand) wrote : | #15 |
I plan to make this bug public, upload your fixes to the security ppa today and publish your fixes on Monday. Thanks for following up.
| Jamie Strandboge (jdstrand) wrote : | #16 |
Matt,
FYI, I had to update the debdiffs to use versions that comply with https:/
| Jamie Strandboge (jdstrand) wrote : | #17 |
Marking the bug as public.
| Launchpad Janitor (janitor) wrote : | #18 |
This bug was fixed in the package python-cjson - 1.0.5-2ubuntu1
---------------
python-cjson (1.0.5-2ubuntu1) maverick; urgency=low
[ Matt Giuca ]
* SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
unicode characters on UCS4 builds (LP: #585274)
- CVE-2010-1666
-- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:45:38 -0500
| Changed in python-cjson (Ubuntu Lucid): | |
| status: | In Progress → Fix Committed |
| Changed in python-cjson (Ubuntu Hardy): | |
| status: | In Progress → Fix Committed |
| Changed in python-cjson (Ubuntu Jaunty): | |
| status: | In Progress → Fix Committed |
| Changed in python-cjson (Ubuntu Karmic): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.
---------------
python-cjson (1.0.5-
[ Matt Giuca ]
* SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
unicode characters on UCS4 builds (LP: #585274)
- CVE-2010-1666
-- Jamie Strandboge <email address hidden> Fri, 18 Jun 2010 13:07:12 -0500
| Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package python-cjson - 1.0.5-2ubuntu0.
---------------
python-cjson (1.0.5-
* SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
unicode characters on UCS4 builds (LP: #585274)
- CVE-2010-1666
-- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000
| Launchpad Janitor (janitor) wrote : | #21 |
This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.
---------------
python-cjson (1.0.5-
* SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
unicode characters on UCS4 builds (LP: #585274)
- CVE-2010-1666
-- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000
| Launchpad Janitor (janitor) wrote : | #22 |
This bug was fixed in the package python-cjson - 1.0.5-1ubuntu0.
---------------
python-cjson (1.0.5-
* SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide
unicode characters on UCS4 builds (LP: #585274)
- CVE-2010-1666
-- Matt Giuca <email address hidden> Wed, 26 May 2010 10:50:08 +1000
By the way, this seems to affect all versions of cjson (at least on all supported Ubuntu versions). I patched against Hardy, being the oldest supported version -- not sure if I was supposed to patch against Maverick instead, but I expect this will be applied to all supported versions, right?