Buffer overrun in encode_string
Bug #585274 reported by
Matt Giuca
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-cjson (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: python-cjson
There is a buffer overrun in cjson 1.0.5, on UCS4 builds. The string length is only resized for wide unicode characters if there is less than 12 bytes of space left. Padding with narrow-but-escaped characters prevents string resizing.
The following line exhibits the overrun (it *may* segfault or display garbage, etc):
>>> cjson.encode(
(u'\U0001D11E\
I've attached a Bazaar merge directive against lp:ubuntu/hardy/python-cjson as a potential security vulnerability, and will also send the patch upstream.
Changed in python-cjson (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in python-cjson (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in python-cjson (Ubuntu Jaunty): | |
status: | In Progress → Fix Committed |
Changed in python-cjson (Ubuntu Karmic): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
By the way, this seems to affect all versions of cjson (at least on all supported Ubuntu versions). I patched against Hardy, being the oldest supported version -- not sure if I was supposed to patch against Maverick instead, but I expect this will be applied to all supported versions, right?