Closed JordyZomer closed 3 years ago
This issue appears to have been assigned CVE-2020-36325.
This is not a bug. json_loads
expects a null-terminated string - the above fuzzer is invalid as it does not ensure proper null-termination. This is how a lot of C functions operate: think strlen
- or basically any other function in string.h
- you will find OOBs all over libc if you don't provide null-terminated strings.
If this was really assigned a CVE I recon it should be retracted.
Thanks for the analysis @DavidKorczynski
Thanks @DavidKorczynski for the analysis. In this case probably the CVE should be rejected. Note I was not the one requesting int but just sent a request to reject it via https://cveform.mitre.org/
@DavidKorczynski FTR it got not REJECTED but now marked as "disputed", cf. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36325
Interesting, thanks for the update! I wonder how this plays out - I would think the CVE team must have some means of handling false positives in particular with memory unsafe languages and libraries.
For reference "When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be designated as being "DISPUTED". In these cases, the CVE Program is making no determination as to which party is correct." from here https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_record
However, in this case it seems rejected is the correct classification: "A CVE Record listed as "REJECT" is a CVE Record that is not accepted as a CVE Record. The reason a CVE Record is marked REJECT will most often be stated in the description of the CVE Record. Possible examples include it being a duplicate CVE Record, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason." from the same URL.
Anyways - issue is closed and it's no big deal.
It is well known that functions like strlen that depend on null-terminated strings exclusively are not safe. But what about improving the API of jansson? json_loads
could receive a fourth parameter with the maximal length of the parameter data.
Hi,
I encountered an OOB read memory corruption bug when fuzzing Jansson.
Below you can find the crash log:
The fuzzer I used was:
Kind Regards,
Jordy Zomer