Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:fix-lp-2012327 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. fix-lp-2012327
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: 1d30b9e42ffefe2fb2cbfd4d05200f1b36c37915
Proposed branch: ~alexmurray/ubuntu-cve-tracker:fix-lp-2012327
Merge into: ubuntu-cve-tracker:master
Diff against target: 238 lines (+66/-34)
3 files modified
scripts/active_edit (+1/-1)
scripts/cve_lib.py (+39/-33)
scripts/test_cve_lib.py (+26/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+439296@code.launchpad.net

Description of the change

Fixes LP: #2012327

[amurray:~/ubuntu … ubuntu-cve-tracker] fix-lp-2012327(+1/-0)+* 130 ± unset CHECK_CVES_EXPERIMENTAL; ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json
Loading /home/amurray/ubuntu/git/security-tracker//data/CVE/list ...
Loading nvdcve-1.1-2021.json ...
 97% [=============================================== ] 130438317 ETA: 0:00:00

***********************************************************************
 CVE-2021-46877 (1/2: 50%)
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
***********************************************************************
 Published: 2023-03-18 22:15:00 UTC
 MISC: https://github.com/FasterXML/jackson-databind/issues/3328
 MISC: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw

======================== CVE details ==========================
 CVE-2021-46877
 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

======================= Debian details ========================
 Debian CVE Tracker: FOUND
 NOTE: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
 NOTE: https://github.com/FasterXML/jackson-databind/issues/3328
 NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
 NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
  Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
    Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-updates/universe
    Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
    Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
    Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
    Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe

A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
Waiting for Emacs...

===================== Dependant packages ======================
 Detecting packages built using: jackson-databind...^P^Pnone detected

============================ Triage summary =============================

    1 CVEs added
    0 CVEs ignored
    0 CVEs skipped
---------------------------
    1 total CVEs triaged

====================== External updates detected ========================

 /home/amurray/ubuntu/git/ubuntu-cve-tracker/embargoed
 ?? pyrightconfig.json

 Please remember to push the above changes if appropriate
[amurray:~/ubuntu … ubuntu-cve-tracker] fix-lp-2012327(+2/-0)+* 34s ± cat active/CVE-2021-46877
Candidate: CVE-2021-46877
PublicDate: 2023-03-21
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
 https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
 https://github.com/FasterXML/jackson-databind/issues/3328
 https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
 https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
Description:
 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
 2.13.1 allows attackers to cause a denial of service (2 GB transient heap
 usage per read) in uncommon situations involving JsonNode JDK
 serialization.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:

Patches_jackson-databind:
upstream_jackson-databind: released (2.13.2.2-1)
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: needs-triage
xenial_jackson-databind: ignored (out of standard support)
esm-apps/xenial_jackson-databind: needs-triage
bionic_jackson-databind: needs-triage
esm-apps/bionic_jackson-databind: needs-triage
focal_jackson-databind: needs-triage
esm-apps/focal_jackson-databind: needs-triage
jammy_jackson-databind: needs-triage
esm-apps/jammy_jackson-databind: needs-triage
kinetic_jackson-databind: not-affected (2.13.2.2-1)
devel_jackson-databind: not-affected

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

LGTM, and thanks for adding to the tests, appreciated!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/active_edit b/scripts/active_edit
2index 87d6fcc..43a3804 100755
3--- a/scripts/active_edit
4+++ b/scripts/active_edit
5@@ -89,7 +89,7 @@ def _add_pkg(p, fp, fixed, parent, embargoed):
6 fixed_in_release = fixed[p][1]
7 if len(fixed[p]) > 2:
8 fixed_in_release_version = fixed[p][2]
9- for rel in ['upstream'] + list(source.keys()):
10+ for rel in ['upstream'] + cve_lib.release_sort(list(source.keys())):
11 aliases = source_map.get_aliases_of_ubuntu_package(source, p, rel)
12 pkgs_from_generic = source_map.get_packages_from_generic_name(source, p, rel)
13 # determine default state but override this if pkg_db has a
14diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
15index e10fb9d..0429f71 100755
16--- a/scripts/cve_lib.py
17+++ b/scripts/cve_lib.py
18@@ -107,7 +107,6 @@ subprojects = {
19 "ppa": "ubuntu-esm/esm/ubuntu",
20 "parent": "ubuntu/precise",
21 "description": "Available with UA Infra or UA Desktop: https://ubuntu.com/advantage",
22- "stamp": 1493521200,
23 },
24 "esm/trusty": {
25 "eol": False,
26@@ -119,7 +118,6 @@ subprojects = {
27 "ppa": "ubuntu-esm/esm-infra-security/ubuntu",
28 "parent": "ubuntu/trusty",
29 "description": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
30- "stamp": 1556593200,
31 },
32 "esm-infra/xenial": {
33 "eol": False,
34@@ -131,7 +129,6 @@ subprojects = {
35 "ppa": "ubuntu-esm/esm-infra-security/ubuntu",
36 "parent": "ubuntu/xenial",
37 "description": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
38- "stamp": 1618963200,
39 },
40 "esm-apps/xenial": {
41 "eol": False,
42@@ -143,7 +140,6 @@ subprojects = {
43 "ppa": "ubuntu-esm/esm-apps-security/ubuntu",
44 "parent": "esm-infra/xenial",
45 "description": "Available with Ubuntu Pro: https://ubuntu.com/pro",
46- "stamp": 1618963200,
47 },
48 "esm-apps/bionic": {
49 "eol": False,
50@@ -155,7 +151,6 @@ subprojects = {
51 "ppa": "ubuntu-esm/esm-apps-security/ubuntu",
52 "parent": "ubuntu/bionic",
53 "description": "Available with Ubuntu Pro: https://ubuntu.com/pro",
54- "stamp": 1524870000,
55 },
56 "esm-apps/focal": {
57 "eol": False,
58@@ -167,7 +162,6 @@ subprojects = {
59 "ppa": "ubuntu-esm/esm-apps-security/ubuntu",
60 "parent": "ubuntu/focal",
61 "description": "Available with Ubuntu Pro: https://ubuntu.com/pro",
62- "stamp": 1587567600,
63 },
64 "esm-apps/jammy": {
65 "eol": False,
66@@ -179,7 +173,6 @@ subprojects = {
67 "ppa": "ubuntu-esm/esm-apps-security/ubuntu",
68 "parent": "ubuntu/jammy",
69 "description": "Available with Ubuntu Pro: https://ubuntu.com/pro",
70- "stamp": 1650693600,
71 },
72 "fips/xenial": {
73 "eol": False,
74@@ -251,7 +244,6 @@ subprojects = {
75 "ppa": "ubuntu-robotics-packagers/ros-security/ubuntu",
76 "parent": "ubuntu/xenial",
77 "description": "Available with Ubuntu Advantage: https://ubuntu.com/advantage",
78- "stamp": None,
79 },
80 "ros-esm/melodic": {
81 "eol": False,
82@@ -263,7 +255,6 @@ subprojects = {
83 "ppa": "ubuntu-robotics-packagers/ros-security/ubuntu",
84 "parent": "ubuntu/bionic",
85 "description": "Available with Ubuntu Advantage: https://ubuntu.com/advantage",
86- "stamp": None,
87 },
88 "ubuntu/warty": {
89 "eol": True,
90@@ -642,7 +633,7 @@ def product_series(rel):
91
92 # get the subproject details for rel along with it's canonical name, product and series
93 def get_subproject_details(rel):
94- """Return the product,series,details tuple for rel."""
95+ """Return the canonical name,product,series,details tuple for rel."""
96 canon, product, series, details = None, None, None, None
97 try:
98 details = subprojects[rel]
99@@ -652,7 +643,8 @@ def get_subproject_details(rel):
100 # look for alias
101 for r in subprojects:
102 try:
103- if subprojects[r]["alias"] == rel:
104+ if subprojects[r]["alias"] == rel \
105+ or (rel == "devel" and subprojects[r]["devel"]):
106 product, series = product_series(r)
107 details = subprojects[r]
108 canon = product + "/" + series
109@@ -726,12 +718,19 @@ def release_progenitor(rel):
110
111 def release_stamp(rel):
112 """Return the time stamp for rel."""
113- stamp = 0
114+ stamp = -1
115 _, _, _, details = get_subproject_details(rel)
116- try:
117- stamp = details["stamp"]
118- except (KeyError, TypeError):
119- pass
120+ if details:
121+ # devel is special and so is assumed to be released in the future
122+ if "devel" in details and details["devel"]:
123+ stamp = sys.maxsize
124+ try:
125+ stamp = details["stamp"]
126+ except KeyError:
127+ rel = release_progenitor(rel)
128+ _, _, _, details = get_subproject_details(rel)
129+ if details:
130+ stamp = details["stamp"]
131 return stamp
132
133 def release_ppa(rel):
134@@ -889,6 +888,26 @@ for release in subprojects:
135 releases.append(rel)
136
137
138+def release_sort(release_list):
139+ '''takes a list of release names and sorts them in release order'''
140+
141+ # turn list into a tuples of (name, release stamp)
142+ rels = [(x, release_stamp(x)) for x in release_list]
143+ # sort list by release stamp (formatted to 20 places so we don't have to
144+ # worry about the number of digits in the stamp) but also prepend the
145+ # release name so releases that have the same stamp sort in alphabetical
146+ # order by name, then pull out just the names
147+ return [x[0] for x in sorted(rels, key=lambda x: ("%020d" % x[1]) + x[0])]
148+
149+
150+def release_is_older_than(release_a, release_b):
151+ '''return True if release_a appeared before release_b'''
152+
153+ # NOTE: foo/esm will be considered older than foo+1, even if the
154+ # actual esm event occurred far later than foo+1's release
155+ return all_releases.index(release_a) < all_releases.index(release_b)
156+
157+
158 # releases to display for flavors
159 flavor_releases = [
160 'lucid', 'precise', 'trusty', 'utopic', 'vivid', 'wily', 'xenial',
161@@ -896,6 +915,10 @@ flavor_releases = [
162 'focal', 'groovy', 'hirsute', 'impish', 'jammy', 'kinetic', "lunar",
163 ]
164
165+all_releases = release_sort(all_releases)
166+flavor_releases = release_sort(flavor_releases)
167+releases = release_sort(releases)
168+
169 # primary name of extended support maintenance (esm) releases
170 esm_releases = [x.split('/esm')[0] for x in all_releases if x.endswith('/esm')]
171
172@@ -1322,23 +1345,6 @@ CVE_RE = re.compile(r'^CVE-\d\d\d\d-[N\d]{4,7}$')
173 NOTE_RE = re.compile(r'^\s+([A-Za-z0-9-]+)([>|]) *(.*)$')
174
175
176-def release_sort(release_list):
177- '''takes a list of release names and sorts them in release order'''
178-
179- # turn list into a tuples of (name, release index)
180- rels = [(x, all_releases.index(x)) for x in release_list]
181- # sort list by release index, then pull out just the names
182- return [x[0] for x in sorted(rels, key=lambda x: x[1])]
183-
184-
185-def release_is_older_than(release_a, release_b):
186- '''return True if release_a appeared before release_b'''
187-
188- # NOTE: foo/esm will be considered older than foo+1, even if the
189- # actual esm event occurred far later than foo+1's release
190- return all_releases.index(release_a) < all_releases.index(release_b)
191-
192-
193
194 cve_dirs = [active_dir, retired_dir, ignored_dir]
195 if os.path.islink(embargoed_dir):
196diff --git a/scripts/test_cve_lib.py b/scripts/test_cve_lib.py
197index 8bf4509..8d9792c 100755
198--- a/scripts/test_cve_lib.py
199+++ b/scripts/test_cve_lib.py
200@@ -4,6 +4,7 @@ import datetime
201 import json
202 import os
203 import pytest
204+import random
205 import sys
206 import cve_lib
207
208@@ -68,6 +69,31 @@ class TestPackageOverrideTests:
209 assert len(title) > 0
210 assert len(desc) > 0
211
212+class TestReleaseSort:
213+ def test_release_sort(self):
214+ print(cve_lib.all_releases)
215+ assert cve_lib.release_sort(
216+ ["jammy", "focal", "xenial", "bionic", "esm-apps/jammy"]) == \
217+ ["xenial", "bionic", "focal", "esm-apps/jammy", "jammy"]
218+
219+ # check all release lists in cve_lib are sorted OOTB
220+ @pytest.mark.parametrize("releases",
221+ [cve_lib.all_releases, cve_lib.flavor_releases,
222+ cve_lib.releases, cve_lib.esm_releases,
223+ cve_lib.esm_apps_releases,
224+ cve_lib.esm_infra_releases,
225+ cve_lib.ros_esm_releases])
226+ def test_release_lists_are_sorted_by_default(self, releases):
227+ assert cve_lib.release_sort(releases) == releases
228+
229+ def test_release_sort_stable(self):
230+ # unsort list of releases
231+ unsorted = list(cve_lib.all_releases)
232+ while unsorted == cve_lib.all_releases:
233+ random.shuffle(unsorted)
234+ # check sort order is stable
235+ sortd = cve_lib.release_sort(unsorted)
236+ assert sortd == cve_lib.all_releases
237
238 TEST_DATA_DIR = "test/"
239

Subscribers

People subscribed via source and target branches