Bug 1908451 (CVE-2020-35381)

Summary: CVE-2020-35381 jsonparser: GET call can lead to a slice bounds out of range
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cmoore, gghezzo, go-sig, gparvin, jramanat, jweiser, kaycoth, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jsonparser 1.1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:04:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1908452, 1908948, 1910042, 1938032    
Bug Blocks: 1908454    

Description Guilherme de Almeida Suckevicz 2020-12-16 17:56:38 UTC 
jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call.

Reference:
https://github.com/buger/jsonparser/issues/219
Comment 1 Guilherme de Almeida Suckevicz 2020-12-16 17:56:55 UTC 
Created golang-github-buger-jsonparser tracking bugs for this issue:

Affects: fedora-all [bug 1908452]
Comment 2 Doran Moppert 2020-12-18 02:28:48 UTC 
Triggering this issue requires attempting to index using a malformed path.  This is a less significant attack surface than malformed JSON, since common usage of the GetString interface is with only the first argument attacker-controlled.  jsonparser still should not crash in this instance, but this attack vector reduces impact to Low.

An initial patch proposal is given on the upstream ticket.  This probably needs refinement, as well as test cases.
Comment 4 lnacshon 2020-12-22 12:35:40 UTC 
Seems like management platform are using https://github.com/buger/jsonparser the vulnerable package..