Bug 1817733 (CVE-2020-10675)

Summary: CVE-2020-10675 golang-github-buger-jsonparser: infinite loop via a Delete call
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bbennett, bmontgom, cnv-qe-bugs, eparis, fdeutsch, gghezzo, go-sig, gparvin, jburrell, jokerman, jramanat, jweiser, nstielau, phoracek, sgott, sponnaga, stcannon, stirabos, thee
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jsonparser 1.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang-github-buger-jsonparser. The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a delete call. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-05 17:35:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1817734, 1892514    
Bug Blocks: 1892306    

Description Guilherme de Almeida Suckevicz 2020-03-26 20:26:35 UTC 
The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

Reference:
https://github.com/buger/jsonparser/issues/188
Comment 1 Guilherme de Almeida Suckevicz 2020-03-26 20:26:50 UTC 
Created golang-github-buger-jsonparser tracking bugs for this issue:

Affects: fedora-all [bug 1817734]
Comment 2 Product Security DevOps Team 2020-03-26 22:31:50 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Doran Moppert 2020-10-29 01:54:22 UTC 
This vulnerability can be exploited to cause an infinite loop in jsonparser if it is used to parse json data from an untrusted source.
Comment 6 Mark Cooper 2020-10-30 04:49:54 UTC 
Upstream fix: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
Comment 7 Mark Cooper 2020-10-30 06:39:43 UTC 
The following OpenShift 4 containers have indicators to github.com/buger/jsonparser:
    - openshift4/file-integrity-rhel8-operator
    - openshift4/cnf-tests-rhel8
    - openshift4/ose-container-networking-plugins-rhel8

However, the buger/jsonparser is a transient dependency from containernetworking/plugins:
$ go mod graph | grep buger/jsonparser
github.com/containernetworking/plugins.2 github.com/buger/jsonparser.0-20180808090653-f4dd9f5a6b44 

The repo github.com/containernetworking/plugins only includes github.com/buger when compiling on Windows:
:~/plugins$  go list -deps ./...  | grep buger/jsonparser
:~/plugins$

:~/plugins$ GOOS=windows go list -deps ./...  | grep buger/jsonparser
github.com/buger/jsonparser 

The associated containers only build on linux and are not affected. That and the go compiler does not include containernetworking/plugins in the build. 

It has been left on the affects however to prevent confusion as it can appear in the go.sum file.
Comment 9 Przemyslaw Roguski 2020-10-30 11:58:05 UTC 
External References:

https://github.com/buger/jsonparser/issues/188
Comment 10 Stoyan Nikolov 2020-12-11 09:13:16 UTC 
Statement:

The OpenShift Container Platform 4 (OCP)  containers file-integrity-rhel8-operator, cnf-tests-rhel8 and ose-container-networking-plugins-rhel8 do have some references to github.com/buger/jsonparser, mainly in their go.sum files. However, it is not included in the final go build. It is also a dependency of the dependency github.com/containernetworking/plugins which only includes buger/jsonparse when compiling for Windows, which these containers do not. Hence the associated containers have been marked not affected.

OpenShift Virtualization cnv-containernetworking-plugins container depends on  github.com/buger/jsonparser only when built for Windows, which it is not, thus it is not affected. Other OpenshiftVirtualization containers (virt-api, virt-controller, virt-handler, virt-launcher, virt-operator, kubernetes-nmstate-handler, ovs-cni-marker, ovs-cni-plugin, kubemacpool, hyperconverged-cluster-operator) have references to github.com/buger/jsonparser, however it is not included in the final go build.
Comment 11 Product Security DevOps Team 2021-04-05 17:35:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10675