Update dependency ujson to v5.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ujson	==5.1.0 -> ==5.4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-45958

UltraJSON (aka ujson) 1.34 through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).

CVE-2022-31117

Impact

What kind of vulnerability is it? Who is impacted?

When an error occurs while reallocating the buffer for string decoding, the buffer gets freed twice.

Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python.

Patches

Has the problem been patched? What versions should users upgrade to?

Users should upgrade to UltraJSON 5.4.0.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround.

For more information

If you have any questions or comments about this advisory:

• Open an issue in UltraJSON

CVE-2022-31116

Impact

What kind of vulnerability is it? Who is impacted?

Anyone parsing JSON from an untrusted source is vulnerable.

JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries.

Examples:

# An unpaired high surrogate character is ignored.
>>> ujson.loads(r'"\uD800"')
''
>>> ujson.loads(r'"\uD800hello"')
'hello'

# An unpaired low surrogate character is preserved.
>>> ujson.loads(r'"\uDC00"')
'\udc00'

# A pair of surrogates with additional non surrogate characters pair up in spite of being invalid.
>>> ujson.loads(r'"\uD800foo bar\uDC00"')
'foo bar𐀀'

Patches

Has the problem been patched? What versions should users upgrade to?

Users should upgrade to UltraJSON 5.4.0.

From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's json module does, preserving them in the parsed output:

>>> ujson.loads(r'"\uD800"')
'\ud800'
>>> ujson.loads(r'"\uD800hello"')
'\ud800hello'
>>> ujson.loads(r'"\uDC00"')
'\udc00'
>>> ujson.loads(r'"\uD800foo bar\uDC00"')
'\ud800foo bar\udc00'

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Short of switching to an entirely different JSON library, there are no safe alternatives to upgrading.

For more information

If you have any questions or comments about this advisory:

• Open an issue in UltraJSON

---

Release Notes

ultrajson/ultrajson (ujson)

v5.4.0

Compare Source

Added

• Add support for arbitrary size integers (#​548) @​JustAnotherArchivist

Fixed

• CVE-2022-31116:
  • Replace wchar_t string decoding implementation with a uint32_t-based one (#​555) @​JustAnotherArchivist
  • Fix handling of surrogates on decoding (#​550) @​JustAnotherArchivist
• CVE-2022-31117: Potential double free of buffer during string decoding @​JustAnotherArchivist
• Fix memory leak on encoding errors when the buffer was resized (#​549) @​JustAnotherArchivist
• Integer parsing: always detect overflows (#​544) @​NaN-git
• Fix handling of surrogates on encoding (#​530) @​JustAnotherArchivist

v5.3.0

Compare Source

Added

• Test Python 3.11 beta (#​539) @​hugovk

Changed

• Benchmark refactor - argparse CLI (#​533) @​Erotemic

Fixed

• Fix segmentation faults when errors occur while handling unserialisable objects (#​531) @​JustAnotherArchivist
• Fix segmentation fault when an exception is raised while converting a dict key to a string (#​526) @​JustAnotherArchivist
• Fix memory leak dumping on non-string dict keys (#​521) @​JustAnotherArchivist
• Fix ref counting on repeated default function calls (#​524) @​JustAnotherArchivist
• Remove redundant wheel dependency from pyproject.toml (#​535) @​hugovk

v5.2.0

Compare Source

Added

• Support parsing NaN, Infinity and -Infinity (#​514) @​Erotemic
• Support dynamically linking against system double-conversion library (#​508) @​musicinmybrain
• Add env var to control stripping debug info (#​507) @​musicinmybrain
• Add JSONDecodeError (#​498) @​JustAnotherArchivist

Fixed

• Fix buffer overflows (CVE-2021-45958) (#​519) @​JustAnotherArchivist
• Upgrade Black to fix Click (#​515) @​hugovk
• simplify exception handling on integer overflow (#​510) @​RouquinBlanc
• Remove dead code that used to handle the separate int type in Python 2 (#​509) @​JustAnotherArchivist
• Fix exceptions on encoding list or dict elements and non-overflow errors on int handling getting silenced (#​505) @​JustAnotherArchivist

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.