[rpms/python-ujson] epel9: Backport fix for CVE-2026-44660; fixes RHBZ#2486949

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Benjamin A. Beasley <code@musicinmybrain.net>
To: git-commits@fedoraproject.org
Subject: [rpms/python-ujson] epel9: Backport fix for CVE-2026-44660; fixes RHBZ#2486949
Date: Tue, 09 Jun 2026 10:17:48 GMT	[thread overview]
Message-ID: <178100026832.1.4907089244228338096.rpms-python-ujson-607477d5c996@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/python-ujson
Branch : epel9
Commit : 607477d5c996c3893932f561919cb2bd775affcb
Author : Benjamin A. Beasley <code@musicinmybrain.net>
Date   : 2026-06-09T11:16:21+01:00
Stats  : +116/-4 in 4 file(s)
URL    : https://src.fedoraproject.org/rpms/python-ujson/c/607477d5c996c3893932f561919cb2bd775affcb?branch=epel9

Log:
Backport fix for CVE-2026-44660; fixes RHBZ#2486949

---
diff --git a/0001-Fix-memory-leak-parsing-large-integers.patch b/0001-Fix-memory-leak-parsing-large-integers.patch
index b02a47d..0baa320 100644
--- a/0001-Fix-memory-leak-parsing-large-integers.patch
+++ b/0001-Fix-memory-leak-parsing-large-integers.patch
@@ -1,7 +1,7 @@
 From 1488fa87b515b017cd40a089459458b17974f037 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Br=C3=A9nainn=20Woodsend?= <bwoodsend@gmail.com>
 Date: Wed, 10 Dec 2025 22:37:20 +0000
-Subject: [PATCH 1/2] Fix memory leak parsing large integers
+Subject: [PATCH 1/3] Fix memory leak parsing large integers
 
 ---
  python/JSONtoObj.c  |  4 +++-
@@ -49,5 +49,5 @@ index f6d8427..ae9ef5d 100644
      "test_input, expected",
      [
 -- 
-2.53.0
+2.54.0
 

diff --git a/0002-Fix-buffer-overflow-infinite-loop-from-indent-handli.patch b/0002-Fix-buffer-overflow-infinite-loop-from-indent-handli.patch
index e051223..c81c921 100644
--- a/0002-Fix-buffer-overflow-infinite-loop-from-indent-handli.patch
+++ b/0002-Fix-buffer-overflow-infinite-loop-from-indent-handli.patch
@@ -1,7 +1,7 @@
 From 1ae7c9bec40114b985b9d9d2da8193b52e33e25a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Br=C3=A9nainn=20Woodsend?= <bwoodsend@gmail.com>
 Date: Wed, 4 Mar 2026 22:28:11 +0000
-Subject: [PATCH 2/2] Fix buffer overflow/infinite loop from indent handling
+Subject: [PATCH 2/3] Fix buffer overflow/infinite loop from indent handling
 
 If indent * nest depth is large enough to overflow an int, it causes the
 required output buffer size to be underestimated leading to a buffer
@@ -186,5 +186,5 @@ index ae9ef5d..9268d86 100644
  
  @pytest.mark.parametrize("first_length", list(range(2, 7)))
 -- 
-2.53.0
+2.54.0
 

diff --git a/0003-Fix-failure-cleanup-paths-in-ujson.dump.patch b/0003-Fix-failure-cleanup-paths-in-ujson.dump.patch
new file mode 100644
index 0000000..a10a043
--- /dev/null
+++ b/0003-Fix-failure-cleanup-paths-in-ujson.dump.patch
@@ -0,0 +1,103 @@
+From 68e19b871ec25e0ad4f4e2521c480fea49767661 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Br=C3=A9nainn=20Woodsend?= <bwoodsend@gmail.com>
+Date: Sun, 3 May 2026 12:22:48 +0100
+Subject: [PATCH 3/3] Fix failure cleanup paths in ujson.dump()
+
+* Add missing dec-refs for if PyTuple_Pack() or writing the payload to
+  file fails
+
+* Add missing bailout for failed PyTuple_Pack()
+
+* Add tests for all but the PyTuple_Pack() failing (which requires
+  inducing a malloc() failure)
+---
+ python/objToJSON.c  |  7 +++++++
+ tests/test_ujson.py | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/python/objToJSON.c b/python/objToJSON.c
+index c7675cb..e28186e 100644
+--- a/python/objToJSON.c
++++ b/python/objToJSON.c
+@@ -1050,6 +1050,11 @@ PyObject* objToJSONFile(PyObject* self, PyObject *args, PyObject *kwargs)
+   }
+ 
+   argtuple = PyTuple_Pack(1, data);
++  if (argtuple == NULL)
++  {
++    Py_XDECREF(write);
++    return NULL;
++  }
+ 
+   string = objToJSON (self, argtuple, kwargs);
+ 
+@@ -1066,6 +1071,7 @@ PyObject* objToJSONFile(PyObject* self, PyObject *args, PyObject *kwargs)
+   if (argtuple == NULL)
+   {
+     Py_XDECREF(write);
++    Py_DECREF(string);
+     return NULL;
+   }
+ 
+@@ -1073,6 +1079,7 @@ PyObject* objToJSONFile(PyObject* self, PyObject *args, PyObject *kwargs)
+   if (write_result == NULL)
+   {
+     Py_XDECREF(write);
++    Py_DECREF(string);
+     Py_XDECREF(argtuple);
+     return NULL;
+   }
+diff --git a/tests/test_ujson.py b/tests/test_ujson.py
+index 9268d86..de35c2b 100644
+--- a/tests/test_ujson.py
++++ b/tests/test_ujson.py
+@@ -8,6 +8,7 @@ import os.path
+ import re
+ import subprocess
+ import sys
++import types
+ import uuid
+ from collections import OrderedDict
+ from pathlib import Path
+@@ -365,6 +366,38 @@ def test_dump_to_file_like_object():
+ def test_dump_file_args_error():
+     with pytest.raises(TypeError):
+         ujson.dump([], "")
++    with pytest.raises(TypeError):
++        ujson.dump([], "", "")
++
++
++def test_dump_non_callable_write():
++    file = types.SimpleNamespace(write="a")
++    with pytest.raises(TypeError):
++        ujson.dump([7] * 100, file)
++
++
++def test_failed_dump():
++    with pytest.raises(TypeError):
++        ujson.dump([[0] * 100, object()], io.StringIO())
++
++
++def test_failed_dump_bogus_file():
++    file = types.SimpleNamespace(write=lambda: None)
++    with pytest.raises(TypeError, match="0 positional arguments"):
++        ujson.dump([0] * 100, file)
++
++
++def test_failed_dump_failed_write():
++    file = types.SimpleNamespace(write=lambda x: 1 / 0)
++    with pytest.raises(ZeroDivisionError):
++        ujson.dump([0] * 100, file)
++
++
++def test_failed_dump_closed_file():
++    file = io.StringIO()
++    file.close()
++    with pytest.raises(ValueError, match="closed file"):
++        ujson.dump([0] * 100, file)
+ 
+ 
+ def test_load_file():
+-- 
+2.54.0
+

diff --git a/python-ujson.spec b/python-ujson.spec
index 3fc46d3..7962e62 100644
--- a/python-ujson.spec
+++ b/python-ujson.spec
@@ -47,6 +47,15 @@ Patch:          0001-Fix-memory-leak-parsing-large-integers.patch
 # https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea
 # Cherry-picked to v5.8.0
 Patch:          0002-Fix-buffer-overflow-infinite-loop-from-indent-handli.patch
+# Backport fix for CVE-2026-44660 from v5.12.1
+# https://www.cve.org/CVERecord?id=CVE-2026-44660
+# https://bugzilla.redhat.com/show_bug.cgi?id=2486949
+# https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
+#
+# Fix failure cleanup paths in ujson.dump()
+# https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
+# Cherry-picked to v5.8.0
+Patch:          0003-Fix-failure-cleanup-paths-in-ujson.dump.patch
 
 BuildRequires:  gcc
 BuildRequires:  gcc-c++

                 reply	other threads:[~2026-06-09 10:17 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178100026832.1.4907089244228338096.rpms-python-ujson-607477d5c996@fedoraproject.org \
    --to=code@musicinmybrain.net \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox