--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: yajl: CVE-2017-16516 CVE-2022-24795
- From: Tobias Frost <tobi@debian.org>
- Date: Sat, 1 Jul 2023 13:03:38 +0200
- Message-id: <ZKAICpv2mXoIxDXI@isildor.loewenhoehle.ip>
Source: yajl
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
After preparing the LTS upload of yajl I've seen the following issues in
the upstream github issue tracker:
CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of
service.
CVE-2022-24795 [2] potential integer overflow which can lead to subsequent heap
memory corruption when dealing with large (~2GB) input
The upstream issue tracker also indicates that there might be other vulnerabilies
(without CVEs or unknown CVEs), but I did not investiage further:
https://github.com/lloyd/yajl/issues/206 (double free)
https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and out-of-bound)
It seems that the code is unmaintained upstream. It might be a good idea to evaluate
if any of the forks are more active and whether Debian should move there.
Cheers,
--
tobi
[1] https://github.com/lloyd/yajl/issues/248
Potential fix: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
[2] https://github.com/lloyd/yajl/issues/239
Potential fix (howver the use of abort() can cause issues.)
https://github.com/lloyd/yajl/pull/240
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---