Advisories » MGASA-2022-0270

Updated python-ujson packages fix security vulnerability

Publication date: 29 Jul 2022
Modification date: 29 Jul 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-31116 , CVE-2022-31117

Description

Add support for arbitrary size integers.
Replace 'wchar_t' string decoding implementation with a 'uint32_t'-based
one; fix handling of surrogates on decoding (CVE-2022-31116)
Potential double free of buffer during string decoding - Fix memory leak
on encoding errors when the buffer was resized - Integer parsing: always
detect overflows - Fix handling of surrogates on encoding (CVE-2022-31117)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=30663
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31116
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31117

SRPMS

8/core

• python-ujson-5.4.0-1.mga8