USN-6629-3: UltraJSON vulnerabilities

14 February 2024

Several security issues were fixed in UltraJSON.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • ujson - ultra fast JSON encoder and decoder for Python 3

Details

USN-6629-1 fixed vulnerabilities in UltraJSON.
This update provides the corresponding updates for Ubuntu 20.04 LTS.

Original advisory details:

It was discovered that UltraJSON incorrectly handled certain input with
a large amount of indentation. An attacker could possibly use this issue
to crash the program, resulting in a denial of service. (CVE-2021-45958)

Jake Miller discovered that UltraJSON incorrectly decoded certain
characters. An attacker could possibly use this issue to cause key
confusion and overwrite values in dictionaries. (CVE-2022-31116)

It was discovered that UltraJSON incorrectly handled an error when
reallocating a buffer for string decoding. An attacker could possibly
use this issue to corrupt memory. (CVE-2022-31117)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04

In general, a standard system update will make all the necessary changes.

Related notices