[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040863: marked as done (bookworm-pu: package yajl/2.1.0-3+deb12u2)

Your message dated Sat, 22 Jul 2023 13:19:43 +0000
with message-id <E1qNCWN-005rsv-A3@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1040863,
regarding bookworm-pu: package yajl/2.1.0-3+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040863
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: yajl@packages.debian.org
Control: affects -1 + src:yajl

Previous s-p-u upload was #1040136, two additional CVEs have
been fixed since then and the fix for CVE-2023-33460 has been found
to be incomplete.

This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3492), stretch and jessie (ELA-892-1) has been targeted.

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.


[ Risks ]
Required changes are minimal, see debdiff. Package testsuite passes.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue.

diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog	2023-07-01 14:55:44.000000000 +0200
+++ yajl-2.1.0/debian/changelog	2023-07-10 18:06:21.000000000 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb12u2) bookworm; urgency=medium
+
+  [Tobias Frost]
+  * Non-maintainer upload.
+  * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+  [John Stamp]
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+  * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984)
+
+ -- Tobias Frost <tobi@debian.org>  Mon, 10 Jul 2023 18:06:21 +0200
+
 yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch	1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch	2023-07-10 18:06:21.000000000 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
++                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch	1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch	2023-07-10 18:06:21.000000000 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) inputs.
+Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch	2023-07-01 14:51:32.000000000 +0200
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch	2023-07-10 18:06:21.000000000 +0200
@@ -1,17 +1,32 @@
 Description: Fix for CVE-2023-33460a
  Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+ See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
 Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
 Bug: https://github.com/lloyd/yajl/issues/250
 ---
- src/yajl_tree.c | 3 +++
- 1 file changed, 3 insertions(+)
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
 
 --- a/src/yajl_tree.c
 +++ b/src/yajl_tree.c
-@@ -445,6 +445,9 @@
+@@ -143,7 +143,7 @@
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
++    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,7 +444,14 @@
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
               YA_FREE(&(handle->alloc), internal_err_str);
          }
++        while(ctx.stack != NULL) {
++             yajl_val v = context_pop(&ctx);
++             yajl_tree_free(v);
++        }
          yajl_free (handle);
 +	//If the requested memory is not released in time, it will cause memory leakage
 +	if(ctx.root)
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series	2023-07-01 14:37:45.000000000 +0200
+++ yajl-2.1.0/debian/patches/series	2023-07-10 18:06:21.000000000 +0200
@@ -1,3 +1,5 @@
 dynamically-link-tools.patch
 multiarch.patch
+CVE-2017-16516.patch
+CVE-2022-24795.patch
 CVE-2023-33460.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.1

The upload requested in this bug has been released as part of 12.1.

--- End Message ---
Reply to: