There was never a buffer overflow. It was simply an artifact
of an older version of the AFLplusplus fuzzing software.
There still is a buffer overflow, but it is no longer
detected. In particular, the introduced value above
corresponds to a920bfa
-- this has function names that mention the "Buffer Append
Unchecked" words. One might guess that "Unchecked" means
accepting the risk of a buffer overflow.
The vulnerability exists and has existed since long before a920bfa. The goal posts to reproduce have moved around a bit since as changes have been made which probably explains the confusion on oss-fuzz's side. #501 has the best reproducer I've seen so far. Fix is on its way.
Hi
Recently CVE-2021-45958 was published which is an assignment due to the oss-fuzz report in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
see as well https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
This reference says:
events:
- introduced: a920bfa
- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362
where though the 5525f8c9ef8bb879dadd0eb942d524827d1b0362 refers to a change in the AFL++ fuzzer:
AFLplusplus/AFLplusplus@5525f8c (see https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202112170603:202112180609).
Quoting a mail from MITRE:
Some of the possibilities are:
There was never a buffer overflow. It was simply an artifact
of an older version of the AFLplusplus fuzzing software.
There still is a buffer overflow, but it is no longer
detected. In particular, the introduced value above
corresponds to
a920bfa
-- this has function names that mention the "Buffer Append
Unchecked" words. One might guess that "Unchecked" means
accepting the risk of a buffer overflow.
MITRE confirmed that the CVE could be rejected if it can be confirmed that the reproducer testcase from https://oss-fuzz.com/download?testcase_id=5751832088543232 does not have a buffer overflow for the ujson.encode call shown in https://github.com/google/oss-fuzz/blob/master/projects/ujson/hypothesis_structured_fuzzer.py
for UltraJSON 4.0.2.
Do you have any more insights here?
The text was updated successfully, but these errors were encountered: