CVE-2021-45958 from oss-fuzz report #502
Comments
|
@bwoodsend thank you! |
Closed
|
I would be happy to see this getting resolved 🙏 thank you for the hard work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
Recently CVE-2021-45958 was published which is an assignment due to the oss-fuzz report in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
see as well https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
This reference says:
events:
- introduced: a920bfa
- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
where though the 5525f8c9ef8bb879dadd0eb942d524827d1b0362 refers to a change in the AFL++ fuzzer:
AFLplusplus/AFLplusplus@5525f8c (see https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202112170603:202112180609).
Quoting a mail from MITRE:
Some of the possibilities are:
There was never a buffer overflow. It was simply an artifact
of an older version of the AFLplusplus fuzzing software.
There still is a buffer overflow, but it is no longer
detected. In particular, the introduced value above
corresponds to
a920bfa
-- this has function names that mention the "Buffer Append
Unchecked" words. One might guess that "Unchecked" means
accepting the risk of a buffer overflow.
MITRE confirmed that the CVE could be rejected if it can be confirmed that the reproducer testcase from https://oss-fuzz.com/download?testcase_id=5751832088543232 does not have a buffer overflow for the ujson.encode call shown in https://github.com/google/oss-fuzz/blob/master/projects/ujson/hypothesis_structured_fuzzer.py
for UltraJSON 4.0.2.
Do you have any more insights here?
The text was updated successfully, but these errors were encountered: