-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-45958 from oss-fuzz report #502
Comments
@bwoodsend thank you! |
Closed
I would be happy to see this getting resolved 🙏 thank you for the hard work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
Recently CVE-2021-45958 was published which is an assignment due to the oss-fuzz report in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
see as well https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
This reference says:
events:
- introduced: a920bfa
- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
where though the 5525f8c9ef8bb879dadd0eb942d524827d1b0362 refers to a change in the AFL++ fuzzer:
AFLplusplus/AFLplusplus@5525f8c (see https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202112170603:202112180609).
Quoting a mail from MITRE:
Some of the possibilities are:
There was never a buffer overflow. It was simply an artifact
of an older version of the AFLplusplus fuzzing software.
There still is a buffer overflow, but it is no longer
detected. In particular, the introduced value above
corresponds to
a920bfa
-- this has function names that mention the "Buffer Append
Unchecked" words. One might guess that "Unchecked" means
accepting the risk of a buffer overflow.
MITRE confirmed that the CVE could be rejected if it can be confirmed that the reproducer testcase from https://oss-fuzz.com/download?testcase_id=5751832088543232 does not have a buffer overflow for the ujson.encode call shown in https://github.com/google/oss-fuzz/blob/master/projects/ujson/hypothesis_structured_fuzzer.py
for UltraJSON 4.0.2.
Do you have any more insights here?
The text was updated successfully, but these errors were encountered: