Your message dated Wed, 16 Aug 2023 22:53:38 +0200
with message-id <[email protected]>
and subject line Re: yajl: CVE-2017-16516 CVE-2022-24795
has caused the Debian Bug report #1040146,
regarding burp: embedded yajl is vulnerable to CVE-2017-16516 and CVE-2022-24795
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1040146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040146
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yajl
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

After preparing the LTS upload of yajl I've seen the following issues in
the upstream github issue tracker:

CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of
 service.

CVE-2022-24795 [2] potential integer overflow which can lead to subsequent heap
  memory corruption when dealing with large (~2GB) input

The upstream issue tracker also indicates that there might be other 
vulnerabilies
(without CVEs or unknown CVEs), but I did not investiage further:
https://github.com/lloyd/yajl/issues/206 (double free)
https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and 
out-of-bound)

It seems that the code is unmaintained upstream. It might be a good idea to 
evaluate
if any of the forks are more active and whether Debian should move there.

Cheers,
-- 
tobi

[1] https://github.com/lloyd/yajl/issues/248
    Potential fix: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce

[2] https://github.com/lloyd/yajl/issues/239
    Potential fix (howver the use of abort() can cause issues.)
    https://github.com/lloyd/yajl/pull/240

-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500, 
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100, 
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message ---
I've update the package Sean Whitton fixes.

I've already warned the upstream developer to use the debian-included yajl or use a fork.

I'm trying to figure out if it's easy to do a rebuild. If you have experience and want to help me, please contact me.
--- End Message ---

Reply via email to