Bug 1903723 (CVE-2020-9861)

Summary:	CVE-2020-9861 swift: stack overflow issue via nested malicious JSON input
Product:	[Other] Security Response	Reporter:	Dhananjay Arunesh <darunesh>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	aileenc, chazlett, drieden, ggaughan, gmalinko, janstey, jochrist, jwon, tachoknight
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	swift-lang 5.1.5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-12-04 09:09:15 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1904263, 1904264
Bug Blocks:	1903725

Description Dhananjay Arunesh 2020-12-02 17:14:38 UTC

A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input.

https://forums.swift.org/t/swift-5-1-5-for-linux-jsonserialization-limit-recursion-when-parsing/34514

Comment 2 Doran Moppert 2020-12-03 23:19:28 UTC

This is the swift programming language, not swift object storage.

Comment 3 Doran Moppert 2020-12-03 23:20:37 UTC

Created swift-lang tracking bugs for this issue:

Affects: epel-8 [bug 1904264]
Affects: fedora-all [bug 1904263]

Comment 4 Product Security DevOps Team 2020-12-04 09:09:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9861