Your message dated Tue, 26 Sep 2023 16:28:07 +0000
with message-id <e1qlaut-009b98...@fasolo.debian.org>
and subject line Bug#1051399: Removed package(s) from unstable
has caused the Debian Bug report #1040153,
regarding collada2gltf: embedded yajl is vulnerable to CVE-2017-16516 and
CVE-2022-24795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1040153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: yajl
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
After preparing the LTS upload of yajl I've seen the following issues in
the upstream github issue tracker:
CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of
service.
CVE-2022-24795 [2] potential integer overflow which can lead to subsequent heap
memory corruption when dealing with large (~2GB) input
The upstream issue tracker also indicates that there might be other
vulnerabilies
(without CVEs or unknown CVEs), but I did not investiage further:
https://github.com/lloyd/yajl/issues/206 (double free)
https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and
out-of-bound)
It seems that the code is unmaintained upstream. It might be a good idea to
evaluate
if any of the forks are more active and whether Debian should move there.
Cheers,
--
tobi
[1] https://github.com/lloyd/yajl/issues/248
Potential fix:
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
[2] https://github.com/lloyd/yajl/issues/239
Potential fix (howver the use of abort() can cause issues.)
https://github.com/lloyd/yajl/pull/240
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100,
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Version: 20140924-9+rm
Dear submitter,
as the package collada2gltf has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1051399
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
