New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please make a new release (OSV-2021-1809) #538
Comments
For reference, pip-audit is https://pypi.org/project/pip-audit/ And can be run like: $ echo ujson > requirements.txt
$ pip-audit -r requirements.txt
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
----- ------- ------------- ------------
ujson 5.2.0 OSV-2021-1809 But I don't find OSV-2021-1809 in https://github.com/pypa/advisory-database (For ujson it only has PYSEC-2022-25 aka CVE-2021-45958, fixed in 5.2.0: https://github.com/pypa/advisory-database/blob/main/vulns/ujson/PYSEC-2022-25.yaml) Where can we find more info on OSV-2021-1809? |
Looks like that's the same as CVE-2021-45958. The commit IDs on osv.dev are wrong (one of them isn't even from ujson...), but the oss-fuzz tracker links to https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202204050603:202204060604, which points to the commit range from #519. So the affected versions list on osv.dev is simply also wrong because, as @hugovk mentioned, that fix was shipped with 5.2.0. I haven't looked at where that information comes from or how it could be changed. |
Thanks for digging in! I've released version 5.3.0 anyway, as there was some things pending, but as mentioned it won't fix OSV-2021-1809. @JustAnotherArchivist Please could you open a PR to update https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-1809.yaml with your findings? |
On the other hand: $ echo ujson==5.2.0 > requirements.txt
$ pip-audit -r requirements.txt
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
----- ------- ------------- ------------
ujson 5.2.0 OSV-2021-1809
$ echo ujson==5.3.0 > requirements.txt
$ pip-audit -r requirements.txt
No known vulnerabilities found :D |
Thanks for finding that, will send a PR. I do wonder about the affected versions as well as the introduced commit ID. I don't have time to reproduce their fuzz test right now (it's complicated...), so I don't know what buffer overflow they found exactly there. #519 fixed a bunch of them, and they were probably introduced over time. Speaking of which, the data on the CVE entry is also incorrect. GHSA-fh56-85cw-5pq6 claims that the buffer overflow on indentation was fixed in 5.1.0, which isn't true. I'm nearly certain it wasn't introduced by 4.0.2 either but is much older than that. It looks like the initial implementation in 930dfa5 already had that particular problem, and that was first released in version 1.34 it seems. |
So, just to be clear, correction to my first comment above: OSV-2021-1809 might not be identical to CVE-2021-45958, but they were fixed together in #519 and released in 5.2.0. |
GHSA fix submitted: github/advisory-database#299 |
Reproducing the last oss fuzz report was a nightmare. I got it running and segfaulting locally after an enormous amount of downloading and building but it didn't seem to give any way to pull out the offending input into something I could actually debug. I only found a reproducer by guessing in the end. It's a shame really - oss fuzz is such a good idea but that plus all these incorrect introduced/fixed commits reduces it to panic inducing noise. |
Thank you for making a new release so quickly, and also for fixing the vulnerability data information! Very appreciated. |
I think we should keep this issue open until the OSV data fix is submitted. (The CVE/GHSA fix is kind of unrelated to this, I just happened to notice it during this discussion.) |
@bwoodsend Here's a slightly silly idea: insert a But yeah, I agree, it's a great idea, but if this crucial information isn't easily available, it fails at its primary purpose of getting maintainers to fix bugs in FOSS projects... |
@bwoodsend Hi there! OSS-Fuzz maintainer here. Sorry for that experience -- would you mind elaborating a bit more on the issues you encountered? (Please feel free to start an issue at https://github.com/google/oss-fuzz/issues to avoid making this too off topic). I've also updated the two OSV reports at https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml and https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-1809.yaml While our bisection / commit analysis works for most things, sadly they do run into hiccups. We're hoping for community contributions can help here! |
@oliverchang Thank you for updating the reports! $ echo ujson==5.1.0 > requirements.txt
$ pip-audit -r requirements.txt
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions
----- ------- ------------- ------------
ujson 5.1.0 OSV-2021-1809
ujson 5.1.0 OSV-2021-955 $ echo ujson==5.2.0 > requirements.txt
$ pip-audit -r requirements.txt
No known vulnerabilities found $ echo ujson==5.3.0 > requirements.txt
$ pip-audit -r requirements.txt
No known vulnerabilities found Let's close this issue, but feel free to continue discussion here if you wish. Thanks all! |
Sure, writing ticket now... |
pip-audit reports:
Please make a new release that fixes this.
Thanks!
The text was updated successfully, but these errors were encountered: