Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in the GenericReader::ParseNumber() function of include/rapidjson/reader.h when parsing JSON text from a stream. #2303

Open
shreyaaapatil opened this issue Aug 21, 2024 · 4 comments
Open

Integer overflow in the GenericReader::ParseNumber() function of include/rapidjson/reader.h when parsing JSON text from a stream. #2303

shreyaaapatil opened this issue Aug 21, 2024 · 4 comments

Comments

@shreyaaapatil
Copy link

The integer overflow issue appears to reported in https://nvd.nist.gov/vuln/detail/CVE-2024-39684

Any fix for this issue provided in the current version 1.1.0?
@apoorv56
Copy link

Hello all,
is there any plan to fix this issue in new release ?
I could see one more similer vulnerability (reference -> https://www.mend.io/vulnerability-database/CVE-2024-38517)

@Mike276849
Copy link

The integer overflow issue appears to reported in https://nvd.nist.gov/vuln/detail/CVE-2024-39684

Any fix for this issue provided in the current version 1.1.0?

Can you demonstrate this issue?

If rapidjson::Document is parsed from some file with a large number (via IStreamWrapper isw(ifs); Document d; d.ParseStream(isw); ), any integer value within the acceptable value range of uint64_t or int64_t, the parser will parse correctly and show the type with GetType() and IsInt64()/IsUInt64().

If an integer value exceeding these range limits is passed to the parser, the parser treats it as the type double and does some rounding if the integer value doesn't have a fully accurate double representation.

If the numeric value, be it integer or a decimal, exceeds the limits of double then the parser will report the error ParseErrorCode::kParseErrorNumberTooBig.

I don't see where is the integer overflow that CVE-2024-39684 has reported in GenericReader::ParseNumber.

@laurentcau
Copy link

Hello,

Based on the original Microsoft report, they use GitHub CNA to communicate CVE details to maintainers:
"The vulnerability assigned to this CVE is in RapidJSON library which is consumed by Microsoft Active Directory Rights Management Services Client. The CVE for this open source component, which is used in a Microsoft product, is assigned by GitHub CNA." (source:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39684)
If you are a maintainer you should have received something from them. Probably with a patch to apply.
(see https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)

@sspivey98
Copy link

Hey, I would just like to clarify - I believe the original link from NIST is misguiding. This seems to be an issue with the Microsoft team who manages Microsoft Active Directory Rights Management Services Client program failing to upgrade rapidjson (probably past the 1.10 release). The github commit 8269bc2 and PR referenced in the writeup that fixed this issue is from 2018.

https://www.cybersecurity-help.cz/vulnerabilities/94061/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38517

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@apoorv56 @laurentcau @Mike276849 @shreyaaapatil @sspivey98