Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl Previous o-s-p-u upload was #1040137; two additional CVEs have been fixed since then and the fix for CVE-2023-33460 has been found to be incomplete. This upload is part of fixing yajl for every release. So far sid, buster (DLA-3492), stretch and jessie (ELA-892-1) has been targeted. bookworm s-p-u is pending, see #1040863 CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. [ Risks ] Required changes are minimal, see debdiff. Package testsuite passes. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2023-07-02 13:31:39.000000000 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-11 19:55:30.000000000 +0200 @@ -1,3 +1,15 @@ +yajl (2.1.0-3+deb11u2) bullseye; urgency=medium + + [Tobias Frost] + * Non-maintainer upload. + * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5 + + [John Stamp] + * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036) + * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984) + + -- Tobias Frost <t...@debian.org> Tue, 11 Jul 2023 19:55:30 +0200 + yajl (2.1.0-3+deb11u1) bullseye; urgency=medium * Non-maintainer upload. diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch --- yajl-2.1.0/debian/patches/CVE-2017-16516.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch 2023-07-10 19:32:01.000000000 +0200 @@ -0,0 +1,22 @@ +Description: Fix for CVE-2017-16516 + Potential buffer overread: A JSON file can cause denial of service. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/248 +--- + src/yajl_encode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/yajl_encode.c ++++ b/src/yajl_encode.c +@@ -139,8 +139,8 @@ + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +- end++; +- if (str[end] == '\\' && str[end + 1] == 'u') { ++ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++ end++; + unsigned int surrogate = 0; + hexToDigit(&surrogate, str + end + 2); + codepoint = diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch --- yajl-2.1.0/debian/patches/CVE-2022-24795.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch 2023-07-10 19:32:01.000000000 +0200 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2022-24795 + An integer overflow will lead to heap memory corruption with large (~2GB) inputs. +Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/239 +--- + src/yajl_buf.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/src/yajl_buf.c ++++ b/src/yajl_buf.c +@@ -45,7 +45,17 @@ + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++ /* We cannot allocate more memory than SIZE_MAX. */ ++ abort(); ++ } ++ while (want >= (need - buf->used)) { ++ if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++ /* need would overflow. */ ++ abort(); ++ } ++ need <<= 1; ++ } + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-02 13:30:08.000000000 +0200 +++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-11 19:54:44.000000000 +0200 @@ -1,17 +1,32 @@ -From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 -From: "zhang.jiujiu" <282627...@qq.com> -Date: Tue, 7 Dec 2021 22:37:02 +0800 -Subject: [PATCH] fix memory leaks - +Description: Fix for CVE-2023-33460a + Memory leak in yajl 2.1.0 with use of yajl_tree_parse function + See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214 +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 --- - src/yajl_tree.c | 3 +++ - 1 file changed, 3 insertions(+) + src/yajl_tree.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) --- a/src/yajl_tree.c +++ b/src/yajl_tree.c -@@ -445,6 +445,9 @@ +@@ -143,7 +143,7 @@ + ctx->stack = stack->next; + + v = stack->value; +- ++ free (stack->key); + free (stack); + + return (v); +@@ -444,7 +444,14 @@ + snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); YA_FREE(&(handle->alloc), internal_err_str); } ++ while(ctx.stack != NULL) { ++ yajl_val v = context_pop(&ctx); ++ yajl_tree_free(v); ++ } yajl_free (handle); + //If the requested memory is not released in time, it will cause memory leakage + if(ctx.root) diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series --- yajl-2.1.0/debian/patches/series 2023-07-02 13:30:08.000000000 +0200 +++ yajl-2.1.0/debian/patches/series 2023-07-11 19:17:44.000000000 +0200 @@ -1,3 +1,5 @@ dynamically-link-tools.patch multiarch.patch +CVE-2017-16516.patch +CVE-2022-24795.patch CVE-2023-33460.patch
signature.asc
Description: PGP signature
