cbor2 Integer Underflow and Memory Leak Vulnerabilities in C Extension Decoder Allow Denial-of-Service

In the cbor2 library, all versions prior to 5.7.1, multiple vulnerabilities have been identified in the C extension decoder's decode_definite_long_string() function. These vulnerabilities include an integer underflow leading to an out-of-bounds read, and a memory leak caused by a failure to properly manage Python object references. The integer underflow occurs because an incorrect variable reference and a missing state reset in the chunk processing loop allow buffer_length to retain a value that results in negative calculations for chunk_length. This flaw can be exploited to create unlimited read operations, causing resource exhaustion. The memory leak arises from the same processing loop not releasing references for chunk objects, leading to cumulative memory leaks that can be exploited by processing large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data with definite-length text strings that include multi-byte UTF-8 characters at the 65536-byte chunk boundaries. Exploitation of these vulnerabilities causes process crashes or memory exhaustion, affecting any application that uses cbor2's C extension to handle untrusted CBOR data, such as web APIs, IoT data collectors, and message queue processors.

Impact

Exploitation of these vulnerabilities leads to process crashes or memory exhaustion, causing denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by using the cbor2 library version 5.7.0. A CBOR payload can be crafted that includes UTF-8 characters split across multiple 65536-byte chunk boundaries. When this payload is processed by the cbor2 decoder, the decoder requests unlimited bytes, bypassing the intended boundaries, which can cause a process crash due to a 'premature end of stream' error. This behavior can be automated with a script that sends the malicious CBOR data to an application using the vulnerable cbor2 version.

Remediation

Users can upgrade to cbor2 version 5.7.1, which addresses these vulnerabilities by correcting the chunk length calculation, releasing Python object references to prevent memory leaks, and adding test cases to ensure the issues are properly handled.