Fix for CVE-2007-2381

2 views
Skip to first unread message

Konstantin Ryabitsev

unread,
May 1, 2007, 4:41:20 PM5/1/07
to MochiKit
Hello:

Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381
in the 1.3.1 branch?

Cheers,
Konstantin Ryabitsev,
Fedora Project

Bob Ippolito

unread,
May 1, 2007, 4:49:43 PM5/1/07
to Konstantin Ryabitsev, MochiKit
On 5/1/07, Konstantin Ryabitsev <mri...@gmail.com> wrote:
>
> Hello:
>
> Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381
> in the 1.3.1 branch?
>

Nope. It's not a real security issue, not with MochiKit anyway. The
recommended "fix" would mean supporting some junk that's not JSON
anymore. I've already caved and put said support on the trunk just so
people would shut up about the issue, but I'm certainly not going to
make a maintenance release to "fix" this non-issue.

Ensuring that your server only sends JSON when properly authenticated,
or otherwise sending only non-exploitable JSON (e.g. JSON with an
object envelope) is the only solution to this problem.

Only a very small subset of JSON, specifically [array, envelope, json]
is susceptible to this data leakage attack. Don't send that stuff on
the server-side, and there is no problem. Most people don't send array
envelope JSON anyhow. Either way, totally irrelevant to the
client-side. It's like saying that we should fix browsers so that they
can't be used to mount a SQL injection attack on a poorly written
service.

-bob

Konstantin Ryabitsev

unread,
May 1, 2007, 5:06:26 PM5/1/07
to MochiKit
On May 1, 4:49 pm, "Bob Ippolito" <b...@redivi.com> wrote:
> > Will there be a fix forhttp://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381

OK, fair enough. I'm just going through the proper motions to handle a
bug report against my package in Fedora (https://bugzilla.redhat.com/
bugzilla/show_bug.cgi?id=238616).

Cheers,
Konstantin

Reply all
Reply to author
Forward
0 new messages