Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: yajl@packages.debian.org Control: affects -1 + src:yajl Previous s-p-u upload was #1040136, two additional CVEs have been fixed since then and the fix for CVE-2023-33460 has been found to be incomplete. This upload is part of fixing yajl for every release. So far sid, buster (DLA-3492), stretch and jessie (ELA-892-1) has been targeted. CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. [ Risks ] Required changes are minimal, see debdiff. Package testsuite passes. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.000000000 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-10 18:06:21.000000000 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb12u2) bookworm; urgency=medium
+
+ [Tobias Frost]
+ * Non-maintainer upload.
+ * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+ [John Stamp]
+ * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+ * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984)
+
+ -- Tobias Frost <tobi@debian.org> Mon, 10 Jul 2023 18:06:21 +0200
+
yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch 1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch 2023-07-10 18:06:21.000000000 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+ end+=3;
+ /* check if this is a surrogate */
+ if ((codepoint & 0xFC00) == 0xD800) {
+- end++;
+- if (str[end] == '\\' && str[end + 1] == 'u') {
++ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++ end++;
+ unsigned int surrogate = 0;
+ hexToDigit(&surrogate, str + end + 2);
+ codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch 1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch 2023-07-10 18:06:21.000000000 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) inputs.
+Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+
+ need = buf->len;
+
+- while (want >= (need - buf->used)) need <<= 1;
++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++ /* We cannot allocate more memory than SIZE_MAX. */
++ abort();
++ }
++ while (want >= (need - buf->used)) {
++ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++ /* need would overflow. */
++ abort();
++ }
++ need <<= 1;
++ }
+
+ if (need != buf->len) {
+ buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-01 14:51:32.000000000 +0200
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-10 18:06:21.000000000 +0200
@@ -1,17 +1,32 @@
Description: Fix for CVE-2023-33460a
Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+ See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
Bug: https://github.com/lloyd/yajl/issues/250
---
- src/yajl_tree.c | 3 +++
- 1 file changed, 3 insertions(+)
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
-@@ -445,6 +445,9 @@
+@@ -143,7 +143,7 @@
+ ctx->stack = stack->next;
+
+ v = stack->value;
+-
++ free (stack->key);
+ free (stack);
+
+ return (v);
+@@ -444,7 +444,14 @@
+ snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
YA_FREE(&(handle->alloc), internal_err_str);
}
++ while(ctx.stack != NULL) {
++ yajl_val v = context_pop(&ctx);
++ yajl_tree_free(v);
++ }
yajl_free (handle);
+ //If the requested memory is not released in time, it will cause memory leakage
+ if(ctx.root)
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series 2023-07-01 14:37:45.000000000 +0200
+++ yajl-2.1.0/debian/patches/series 2023-07-10 18:06:21.000000000 +0200
@@ -1,3 +1,5 @@
dynamically-link-tools.patch
multiarch.patch
+CVE-2017-16516.patch
+CVE-2022-24795.patch
CVE-2023-33460.patch
Attachment:
signature.asc
Description: PGP signature