CVE-2021-45958 from oss-fuzz report

[carnil]

Hi

Recently CVE-2021-45958 was published which is an assignment due to the oss-fuzz report in

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

see as well https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml

This reference says:

events:
- introduced: a920bfa
- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362

where though the 5525f8c9ef8bb879dadd0eb942d524827d1b0362 refers to a change in the AFL++ fuzzer:

AFLplusplus/AFLplusplus@5525f8c (see https://oss-fuzz.com/revisions?job=libfuzzer_asan_ujson&range=202112170603:202112180609).

Quoting a mail from MITRE:

Some of the possibilities are:

1. There was never a buffer overflow. It was simply an artifact
   of an older version of the AFLplusplus fuzzing software.

2. There still is a buffer overflow, but it is no longer
   detected. In particular, the introduced value above
   corresponds to
   a920bfa
   -- this has function names that mention the "Buffer Append
   Unchecked" words. One might guess that "Unchecked" means
   accepting the risk of a buffer overflow.

MITRE confirmed that the CVE could be rejected if it can be confirmed that the reproducer testcase from https://oss-fuzz.com/download?testcase_id=5751832088543232 does not have a buffer overflow for the ujson.encode call shown in https://github.com/google/oss-fuzz/blob/master/projects/ujson/hypothesis_structured_fuzzer.py
for UltraJSON 4.0.2.

Do you have any more insights here?

[bwoodsend]

The vulnerability exists and has existed since long before a920bfa. The goal posts to reproduce have moved around a bit since as changes have been made which probably explains the confusion on oss-fuzz's side. #501 has the best reproducer I've seen so far. Fix is on its way.

[carnil]

@bwoodsend thank you!

[EralpB]

I would be happy to see this getting resolved 🙏 thank you for the hard work.