Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:2673-1

Опубликовано: 04 авг. 2022
Источник: suse-cvrf

Описание

Security update for python-ujson

This update for python-ujson fixes the following issues:

  • CVE-2022-31116: Fixed improper decoding of escaped surrogate characters (bsc#1201255).
  • CVE-2022-31117: Fixed a double free while reallocating a buffer for string decoding (bsc#1201254).

Список пакетов

SUSE Linux Enterprise Module for Development Tools 15 SP3
python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Development Tools 15 SP4
python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP3
python2-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP4
python2-ujson-1.35-150100.3.5.1
openSUSE Leap 15.3
python2-ujson-1.35-150100.3.5.1
python3-ujson-1.35-150100.3.5.1
openSUSE Leap 15.4
python3-ujson-1.35-150100.3.5.1

Ссылки

Описание

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP3:python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP4:python2-ujson-1.35-150100.3.5.1
Ссылки

Описание

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP3:python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Development Tools 15 SP4:python3-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-ujson-1.35-150100.3.5.1
SUSE Linux Enterprise Module for Package Hub 15 SP4:python2-ujson-1.35-150100.3.5.1
Ссылки