Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-45958 from oss-fuzz report #502

Closed
carnil opened this issue Feb 7, 2022 · 3 comments · Fixed by #519
Closed

CVE-2021-45958 from oss-fuzz report #502

carnil opened this issue Feb 7, 2022 · 3 comments · Fixed by #519

Comments

@carnil
Copy link

carnil commented Feb 7, 2022

Hi

Recently CVE-2021-45958 was published which is an assignment due to the oss-fuzz report in

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

see as well https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml

This reference says:

events:
- introduced: a920bfa
- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362

where though the 5525f8c9ef8bb879dadd0eb942d524827d1b0362 refers to a change in the AFL++ fuzzer:

AFLplusplus/AFLplusplus@5525f8c (see https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202112170603:202112180609).

Quoting a mail from MITRE:

Some of the possibilities are:

  1. There was never a buffer overflow. It was simply an artifact
    of an older version of the AFLplusplus fuzzing software.

  2. There still is a buffer overflow, but it is no longer
    detected. In particular, the introduced value above
    corresponds to
    a920bfa
    -- this has function names that mention the "Buffer Append
    Unchecked" words. One might guess that "Unchecked" means
    accepting the risk of a buffer overflow.

MITRE confirmed that the CVE could be rejected if it can be confirmed that the reproducer testcase from https://oss-fuzz.com/download?testcase_id=5751832088543232 does not have a buffer overflow for the ujson.encode call shown in https://github.com/google/oss-fuzz/blob/master/projects/ujson/hypothesis_structured_fuzzer.py
for UltraJSON 4.0.2.

Do you have any more insights here?

@bwoodsend
Copy link
Collaborator

The vulnerability exists and has existed since long before a920bfa. The goal posts to reproduce have moved around a bit since as changes have been made which probably explains the confusion on oss-fuzz's side. #501 has the best reproducer I've seen so far. Fix is on its way.

@carnil
Copy link
Author

carnil commented Feb 7, 2022

@bwoodsend thank you!

@EralpB
Copy link

EralpB commented Apr 4, 2022

I would be happy to see this getting resolved 🙏 thank you for the hard work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants