Wednesday, February 14, 2024

[USN-6629-2] UltraJSON vulnerability

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEhC9y9XdAFQPCvYXchGmXSGiknnUFAmXMYlMFAwAAAAAACgkQhGmXSGiknnV/
GQ/+JJVU5ZGOQAbrH03+JFG51eoKLDoq8yHdeAbtezdwSdOK3JoJ/P499tLpceZKpeBchqfsA++R
e0WjDYF9uYbAwuWG5kDc9k5xErkySeJUzyC8CUrO46/F/mYK4vQ1uoK3Yo/sAYXHMQ9tNkOdIT8a
yRP6lvtiVyNpO5HaTAiUdrBuj6DvUQWuYGf4iuLt/mcKZ5YZn634GEXKMOFOsUJqL9QiNiIJLDUn
uprK+9VvrIz8wMh94+nTgDtjqO5Bj5vvMjLiScJ74F1KQGWlSfOfNqwNWByN0pZaFx6RA08QTRYR
c/OdNVr9T9mm+H6qFxbyFvazuC4PQuXfSG0t7N0tjKIxQ0msk0fIjtOOhUS0FHU6BoJE35SBV1Bj
E5Hm0vkJQurC7M/NXAOk2AefnmLU6kJ9wB/h5Q+NhNXqhkbx2lHHYEatj6ZKE3BQt3/52y6guGqv
OiwM6vboDPSwP71XHnVtVOhVQhEVIIXH/9lxATDhe4f5QdVjbMowqK0w8yX4xnN4WDo4z8lrWke8
WrFxJXgzJZkX53nhGKlm0ruiOplAjI+5VA0ezYLQSOlHXGMqRhX/EW7udMH6V3dggu1yL1vD5orI
PRHWuB2uJMtjdYHD+auicHWvkaTSdaKFwuVRp0cZVfJiemtpn4Rwv3gfrM9407Zaj/OTX5PnRnw/
OWg=
=Fd44
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6629-2
February 14, 2024

ujson vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

UltraJSON could be made to crash if it received specially crafted
input.

Software Description:
- ujson: ultra fast JSON encoder and decoder for Python 3

Details:

USN-6629-1 fixed vulnerabilities in UltraJSON.
This update provides the corresponding updates for Ubuntu 20.04 LTS.

Original advisory details:

It was discovered that UltraJSON incorrectly handled certain input with
a large amount of indentation. An attacker could possibly use this issue
to crash the program, resulting in a denial of service. (CVE-2021-45958)

Jake Miller discovered that UltraJSON incorrectly decoded certain
characters. An attacker could possibly use this issue to cause key
confusion and overwrite values in dictionaries. (CVE-2022-31116)

It was discovered that UltraJSON incorrectly handled an error when
reallocating a buffer for string decoding. An attacker could possibly
use this issue to corrupt memory. (CVE-2022-31117)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
python3-ujson 1.35-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6629-2
https://ubuntu.com/security/notices/USN-6629-1
CVE-2021-45958

Package Information:
https://launchpad.net/ubuntu/+source/ujson/1.35-4ubuntu0.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)