On 07/01/23 04:03 AM, Tobias Frost wrote: > Source: yajl > Severity: important > Tags: security upstream > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > After preparing the LTS upload of yajl I've seen the following issues in > the upstream github issue tracker: > > CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of > service. > > CVE-2022-24795 [2] potential integer overflow which can lead to subsequent > heap > memory corruption when dealing with large (~2GB) input > > The upstream issue tracker also indicates that there might be other > vulnerabilies > (without CVEs or unknown CVEs), but I did not investiage further: > https://github.com/lloyd/yajl/issues/206 (double free) > https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and > out-of-bound) > > It seems that the code is unmaintained upstream. It might be a good idea to > evaluate > if any of the forks are more active and whether Debian should move there. > > Cheers, > -- > tobi > > [1] https://github.com/lloyd/yajl/issues/248 > Potential fix: > https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce > > [2] https://github.com/lloyd/yajl/issues/239 > Potential fix (howver the use of abort() can cause issues.) > https://github.com/lloyd/yajl/pull/240
Hello, I've something nearly ready for upload, but it would be good to get a second pair of eyes on it: https://github.com/jstamp/yajl/commits/master CVE-2017-16516 looks fixed with the patch that you linked to. CVE-2022-24795 looks fixed with https://github.com/lloyd/yajl/pull/240 As you said, pull 240's use of abort() can cause problems of its own, but if I understand the discussion right, there aren't other options without a significant rewrite to yajl. The other two potential fixes also use abort() or assert(): https://github.com/robohack/yajl/commit/7d8adb408842a2d19e6a48fccf2725feb333937a https://github.com/robohack/yajl/commit/166b384aec1cf304859d69f03e42c3ab85c34858 https://github.com/lloyd/yajl/pull/242/commits/d3a528c788ba9e531fab91db41d3a833c54da325 You also mentioned the following issues: https://github.com/lloyd/yajl/issues/204 https://github.com/lloyd/yajl/issues/206 I can reproduce the reporter's errors in valgrind using yajl's json_reformat in version 1.0.12, but all appeared well when I tested with version 2.1.0. Those issues only seem to affect 1.x The same applied to issue 205: https://github.com/lloyd/yajl/issues/205 If all this looks sensible to you, I'll head over to mentors for a sponsor. John
