Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote exploit in aeson #51

Closed
1 task done
dhess opened this issue Sep 12, 2021 · 3 comments · Fixed by #245
Closed
1 task done

Remote exploit in aeson #51

dhess opened this issue Sep 12, 2021 · 3 comments · Fixed by #245
Assignees
@dhess
Labels
bug 🐞 A confirmed bug security ⚠️ Security issue tracking This is a tracking issue upstream This is an upstream issue

Comments

@dhess
Copy link
Member

dhess commented Sep 12, 2021
edited
Loading

Details: https://cs-syd.eu/posts/2021-09-11-json-vulnerability?source=reddit

Tracked upstream here: haskell/aeson#864

Reddit thread: https://www.reddit.com/r/haskell/comments/pm7rcr/cs_syd_json_vulnerability_in_haskells_aeson/

The vulnerability is via HashMap from https://hackage.haskell.org/package/unordered-containers, which we do not use (directly). We should consider banning the use of unordered-containers, and hashable (https://hackage.haskell.org/package/hashable) until this issue is addressed — if it ever is.

(It's not clear to me whether the maintainers mentioned in the disclosure post, who apparently have known about this issue for ~ 1 year, are the aeson maintainers, or the unordered-containers maintainers, or the hashable maintainers, upon which unordered-containers depends.)

Blocked on:
@dhess dhess transferred this issue from another repository Sep 18, 2021
@dhess dhess added blocked/upstream ❌ Blocked by upstream issue bug 🐞 A confirmed bug security ⚠️ Security issue tracking This is a tracking issue upstream This is an upstream issue labels Sep 18, 2021
@dhess
Copy link
Member Author

dhess commented Oct 11, 2021

Supposedly fixed (with some additional configuration required) in Aeson 2.0.1.0: haskell-unordered-containers/unordered-containers#319 (comment)

@dhess dhess self-assigned this Oct 11, 2021
@georgefst
Copy link
Contributor

Supposedly fixed (with some additional configuration required) in Aeson 2.0.1.0

Seems it was actually fixed in 2.0.0 with a flag, and that flag enabled by default in 2.0.1.

Possibly worth being explicit about configuration anyway, given haskell/aeson#864 (comment):

there is no guarantee it won't be changed again

@georgefst georgefst mentioned this issue Oct 21, 2021
Closed
@brprice
Copy link
Contributor

brprice commented Oct 21, 2021

The stackage tracking issue (commercialhaskell/stackage#6217) may be useful for tracking the community's migration progress.

@dhess dhess mentioned this issue Feb 7, 2022
Merged
@dhess dhess closed this as completed in #245 Feb 7, 2022
@dhess dhess removed the blocked/upstream ❌ Blocked by upstream issue label Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhess dhess

Labels
bug 🐞 A confirmed bug security ⚠️ Security issue tracking This is a tracking issue upstream This is an upstream issue
Projects
None yet
Milestone
No milestone
3 participants
@dhess @brprice @georgefst