Your message dated Sun, 16 Oct 2022 05:06:09 +0300
with message-id <Y0tnEd2ywYhBh4ln@localhost>
and subject line Fixed in 1.4.3-1
has caused the Debian Bug report #1014803,
regarding ruby-yajl: CVE-2022-24795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1014803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014803
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-yajl
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ruby-yajl.
CVE-2022-24795[0]:
| yajl-ruby is a C binding to the YAJL JSON parsing and generation
| library. The 1.x branch and the 2.x branch of `yajl` contain an
| integer overflow which leads to subsequent heap memory corruption when
| dealing with large (~2GB) inputs. The reallocation logic at
| `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0
| when `need` approaches a value of 0x80000000 (i.e. ~2GB of data),
| which results in a reallocation of buf->alloc into a small heap
| chunk. These integers are declared as `size_t` in the 2.x branch of
| `yajl`, which practically prevents the issue from triggering on 64bit
| platforms, however this does not preclude this issue triggering on
| 32bit builds on which `size_t` is a 32bit integer. Subsequent
| population of this under-allocated heap chunk is based on the original
| buffer size, leading to heap memory corruption. This vulnerability
| mostly impacts process availability. Maintainers believe exploitation
| for arbitrary code execution is unlikely. A patch is available and
| anticipated to be part of yajl-ruby version 1.4.2. As a workaround,
| avoid passing large inputs to YAJL.
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24795
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 1.4.3-1
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
Affected versions: <= 1.4.2
Patched versions: 1.4.3
NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could
still lead to a DoS infinite loop. Please update to version 1.4.3
--- End Message ---
