Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: remove unsafe exec() in parson.c#14823

Closed
orbisai0security wants to merge 1 commit into
gohugoio:masterfrom
orbisai0security:fix-parson-sprintf-buffer-overflow-v-001
Closed

fix: remove unsafe exec() in parson.c#14823
orbisai0security wants to merge 1 commit into
gohugoio:masterfrom
orbisai0security:fix-parson-sprintf-buffer-overflow-v-001

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 29, 2026

Summary

Fix high severity security issue in internal/warpc/genwebp/deps/parson/parson.c.

Vulnerability

Field Value
ID V-001
Severity HIGH
Scanner multi_agent_ai
Rule V-001
File internal/warpc/genwebp/deps/parson/parson.c:816

Description: The parson.c JSON serialization library uses unsafe sprintf() calls at lines 816, 818, and 876 to write formatted numeric and string values into fixed-size stack buffers (num_buf) without specifying a maximum output length. A sufficiently large numeric value or long string can overflow the buffer and corrupt adjacent stack memory, potentially enabling arbitrary code execution or crashing the warpc worker process.

Changes

  • internal/warpc/genwebp/deps/parson/parson.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
6e7a6a6 
Automated security fix generated by Orbis Security AI
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 29, 2026

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

@bep bep mentioned this pull request Apr 29, 2026
Merged
bep added a commit to bep/hugo that referenced this pull request Apr 29, 2026
@bep
warpc: Move to parson.c in https://github.com/kgabis/parson
fe3e49d 
And be specific about which commit we use.

Hugo treat this as an upstream dependency, so we would appreciate that any bugs will be reported and fixed upstream.

See gohugoio#14823
@bep
Copy link
Copy Markdown
Member

bep commented Apr 29, 2026

See #14827 -- this moves us to the release version of parson.c; I don't remember the history here, but this should at least make it easier to reason about which upstream dependency that's in use. A few notes from me on this PR:

  • Any (non-trivial) PR starts out with an issue.
  • Any security issue need to be non-theorethical; it must at least make a probable argument that something bad could happen. parson.c is used to parse JSON from Hugo (config options converted to JSON from Go structs) and then to construct a JSON form the C side with some metadata received from libwebp (width/height etc.). I don't see an obvious path for a user to somehow get e.g. "sufficiently large numeric value" into this.
  • Also, we never patch upstream libraries unless we really have to, so this needs to start with an upstream issue at https://github.com/kgabis/parson

@bep bep closed this Apr 29, 2026
bep added a commit that referenced this pull request Apr 29, 2026
@bep
warpc: Move to parson.c in https://github.com/kgabis/parson
8b40a96 
And be specific about which commit we use.

Hugo treat this as an upstream dependency, so we would appreciate that any bugs will be reported and fixed upstream.

See #14823
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @bep