Bug#1040136: bookworm-pu: package yajl/2.1.0-3+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: yajl@packages.debian.org
Control: affects -1 + src:yajl
This upload fixes CVE-2023-33460, a memory leak issue that
can cause a crash/DoS.
[ Reason ]
This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3478), stretch and jessie (ELA-888-1) has been targeted.
[ Tests ]
Package has a test suite which passes. Additionally it has been
manually verified using asan that the memory leak is indeed fixed.
[ Risks ]
Required changes are minimal, see debdiff.
[ Checklist ]
[x *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
(I've already upload the package to s-p-u)
--
tobi
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2018-10-03 00:51:58.000000000 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.000000000 +0200
@@ -1,3 +1,11 @@
+yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Import upstream patch for CVE-2023-33460. (Closes: #1039984)
+ * Fix d/control Homepage field (Closes: #1040034)
+
+ -- Tobias Frost <tobi@debian.org> Sat, 01 Jul 2023 14:55:44 +0200
+
yajl (2.1.0-3) unstable; urgency=medium
[ Jelmer Vernooij ]
diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control
--- yajl-2.1.0/debian/control 2018-10-02 23:59:41.000000000 +0200
+++ yajl-2.1.0/debian/control 2023-07-01 14:45:57.000000000 +0200
@@ -5,7 +5,7 @@
Build-Depends: debhelper (>= 11), cmake, doxygen
Standards-Version: 4.2.1
Rules-Requires-Root: no
-Homepage: http://lloyd.github.com/yajl/
+Homepage: https://lloyd.github.io/yajl/
Vcs-Browser: https://github.com/jstamp/yajl
Vcs-Git: https://github.com/jstamp/yajl.git
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-01 14:51:32.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2023-33460a
+ Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -445,6 +445,9 @@
+ YA_FREE(&(handle->alloc), internal_err_str);
+ }
+ yajl_free (handle);
++ //If the requested memory is not released in time, it will cause memory leakage
++ if(ctx.root)
++ yajl_tree_free(ctx.root);
+ return NULL;
+ }
+
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series 2015-09-25 14:44:02.000000000 +0200
+++ yajl-2.1.0/debian/patches/series 2023-07-01 14:37:45.000000000 +0200
@@ -1,2 +1,3 @@
dynamically-link-tools.patch
multiarch.patch
+CVE-2023-33460.patch
Reply to: