Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect handling of negative offsets in scan_once #98

Closed
thoger opened this issue Jun 24, 2014 · 2 comments
Closed

Incorrect handling of negative offsets in scan_once #98

thoger opened this issue Jun 24, 2014 · 2 comments

Comments

@thoger
Copy link

thoger commented Jun 24, 2014

The problem was reported as security issue for the simplejson version that is part of the Python standard library, see:

http://bugs.python.org/issue21529
https://hackerone.com/reports/12297

The test case using raw_decode does not work with recent simplejson versions because of commit 0fb0aea. However, I could reproduce the issue with version 3.2.0 by using scan_once directly instead of raw_decode. I haven't tried more recent version, sorry, quick code inspection suggests they should still be affected.

I realize that scan_once is not a documented API, and hence this issue, if only triggerable via it, may not be considered an issue for simplejson.
@etrepum
Copy link
Member

etrepum commented Jun 24, 2014

Thanks for the report. It's certainly not the only way to read raw memory from CPython, but I'll get this fixed and take a look for other similar ssize_t issues. Those functions are intended for internal use only.

etrepum added a commit that referenced this issue Jun 24, 2014
@etrepum
Fix lower bound checking in scan_once / raw_decode API #98
b7486b8
@etrepum
Copy link
Member

etrepum commented Jun 24, 2014

simplejson v3.5.3 has been released which fixes this issue. https://github.com/simplejson/simplejson/releases/tag/v3.5.3

@etrepum etrepum closed this as completed Jun 24, 2014
lelit added a commit to lelit/nssjson that referenced this issue Jun 28, 2014
@lelit
Cherry pick the fix for simplejson#98
18f2ffc 
Cherry pick part of upstream b7486b8,
complementing 9169e08.
jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Jul 27, 2014
Update to 3.5.3:
d15a90f 
Version 3.5.3 released 2014-06-24

* Fix lower bound checking in scan_once / raw_decode API
  simplejson/simplejson#98
philenotfound pushed a commit to philenotfound/buildroot-cr15wi that referenced this issue Sep 23, 2014
@gustavoz @jacmet
python-simplejson: security bump to version 3.5.3
8491d54 
No CVE assigned, see simplejson/simplejson#98

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Oct 11, 2014
Update to 3.5.3:
addc341 
Version 3.5.3 released 2014-06-24

* Fix lower bound checking in scan_once / raw_decode API
  simplejson/simplejson#98
@pyup-bot pyup-bot mentioned this issue Oct 27, 2016
Open
@pyup-bot pyup-bot mentioned this issue Nov 30, 2016
Merged
@pyup-bot pyup-bot mentioned this issue Dec 13, 2016
Closed
@pyup-bot pyup-bot mentioned this issue Feb 13, 2017
Closed
@pyup-bot pyup-bot mentioned this issue Mar 31, 2017
Merged
@pyup-bot pyup-bot mentioned this issue May 23, 2017
Closed
@pyup-bot pyup-bot mentioned this issue Aug 16, 2017
Closed
@pyup-bot pyup-bot mentioned this issue Dec 31, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@etrepum @thoger