yajl: fix CVE-2017-16516, CVE-2022-24795, CVE-2023-33460

Take three CVE fixes from Fedora, as the upstream repository is now dead. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 458fd00233a73d75d43b21b86b1425d75947b154) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Ross Burton <ross.burton@arm.com> 2023-11-07 17:00:25 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-01-05 07:52:17 -0500
commit: 0f952d12b92eb5c6f8b9dfb76d67fdffb3ac853b (patch)
tree: bdc6e689176471edbb056a874fe2f2f396d2d50d
parent: d14faecacc76c04ba7cab99e3b1d4d16c9a59b91 (diff)
download: meta-openembedded-0f952d12b92eb5c6f8b9dfb76d67fdffb3ac853b.tar.gz
4 files changed, 136 insertions, 1 deletions
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch
new file mode 100644
index 000000000..1241ff9e3
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch
@@ -0,0 +1,37 @@
+From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:36:10 +0100
+Subject: [PATCH] Fix for CVE-2017-16516
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+CVE: CVE-2017-16516
+Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/248]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/yajl_encode.c b/src/yajl_encode.c
+index fd08258..0d97cc5 100644
+--- a/src/yajl_encode.c
+++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
+                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
+                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
new file mode 100644
index 000000000..0dc859099
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,59 @@
+From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH] Fix CVE-2022-24795
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+This patch catches the integer overflow and terminates the process
+with abort().
+CVE: CVE-2022-24795
+Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..55c11ad 100644
+--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
+    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+        /* We cannot allocate more memory than SIZE_MAX. */
+        abort();
+    }
+    while (want >= (need - buf->used)) {
+        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+            /* need would overflow. */
+            abort();
+        }
+        need <<= 1;
+    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch
new file mode 100644
index 000000000..47454dc8a
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch
@@ -0,0 +1,35 @@
+Fix memory leaks.  Taken from the Fedora packaging (https://src.fedoraproject.org/rpms/yajl)
+where it was backported from openEuler.
+CVE: CVE-2023-33460
+Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/250]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a3..56c7012 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
+    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
+        while(ctx.stack != NULL) {
+             yajl_val v = context_pop(&ctx);
+             yajl_tree_free(v);
+        }
+         yajl_free (handle);
+       //If the requested memory is not released in time, it will cause memory leakage
+       if(ctx.root)
+            yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
index cf8dbb183..2a34210f3 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -8,7 +8,11 @@ HOMEPAGE = "http://lloyd.github.com/yajl/"
 LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
-SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https"
+SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
+           file://CVE-2017-16516.patch \
+           file://CVE-2022-24795.patch \
+           file://CVE-2023-33460.patch \
+           "
 SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
 S = "${WORKDIR}/git"
author	Ross Burton <ross.burton@arm.com>	2023-11-07 17:00:25 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-01-05 07:52:17 -0500
commit	0f952d12b92eb5c6f8b9dfb76d67fdffb3ac853b (patch)
tree	bdc6e689176471edbb056a874fe2f2f396d2d50d
parent	d14faecacc76c04ba7cab99e3b1d4d16c9a59b91 (diff)
download	meta-openembedded-0f952d12b92eb5c6f8b9dfb76d67fdffb3ac853b.tar.gz

diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch new file mode 100644 index 000000000..1241ff9e3 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch
@@ -0,0 +1,37 @@
		1	From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
		3	Date: Mon, 10 Jul 2023 13:36:10 +0100
		4	Subject: [PATCH] Fix for CVE-2017-16516
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Description: Fix for CVE-2017-16516
		10	Potential buffer overread: A JSON file can cause denial of service.
		11	Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
		12
		13	CVE: CVE-2017-16516
		14	Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/248]
		15	Signed-off-by: Ross Burton <ross.burton@arm.com>
		16	---
		17	src/yajl_encode.c \| 4 ++--
		18	1 file changed, 2 insertions(+), 2 deletions(-)
		19
		20	diff --git a/src/yajl_encode.c b/src/yajl_encode.c
		21	index fd08258..0d97cc5 100644
		22	--- a/src/yajl_encode.c
		23	+++ b/src/yajl_encode.c
		24	@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
		25	end+=3;
		26	/* check if this is a surrogate */
		27	if ((codepoint & 0xFC00) == 0xD800) {
		28	- end++;
		29	- if (str[end] == '\\' && str[end + 1] == 'u') {
		30	+ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
		31	+ end++;
		32	unsigned int surrogate = 0;
		33	hexToDigit(&surrogate, str + end + 2);
		34	codepoint =
		35	--
		36	2.34.1
		37


diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 000000000..0dc859099 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,59 @@
		1	From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Thu, 7 Apr 2022 17:29:54 +0200
		4	Subject: [PATCH] Fix CVE-2022-24795
		5
		6	There was an integer overflow in yajl_buf_ensure_available() leading
		7	to allocating less memory than requested. Then data were written past
		8	the allocated heap buffer in yajl_buf_append(), the only caller of
		9	yajl_buf_ensure_available(). Another result of the overflow was an
		10	infinite loop without a return from yajl_buf_ensure_available().
		11
		12	yajl-ruby project, which bundles yajl, fixed it
		13	<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
		14	integer overflow, fortifying buffer allocations, and report the
		15	failures to a caller. But then the caller yajl_buf_append() skips
		16	a memory write if yajl_buf_ensure_available() failed leading to a data
		17	corruption.
		18
		19	A yajl fork mainter recommended calling memory allocation callbacks with
		20	the large memory request and let them to handle it. But that has the
		21	problem that it's not possible pass the overely large size to the
		22	callbacks.
		23
		24	This patch catches the integer overflow and terminates the process
		25	with abort().
		26
		27	CVE: CVE-2022-24795
		28	Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239]
		29	Signed-off-by: Ross Burton <ross.burton@arm.com>
		30	---
		31	src/yajl_buf.c \| 12 +++++++++++-
		32	1 file changed, 11 insertions(+), 1 deletion(-)
		33
		34	diff --git a/src/yajl_buf.c b/src/yajl_buf.c
		35	index 1aeafde..55c11ad 100644
		36	--- a/src/yajl_buf.c
		37	+++ b/src/yajl_buf.c
		38	@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
		39
		40	need = buf->len;
		41
		42	- while (want >= (need - buf->used)) need <<= 1;
		43	+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
		44	+ /* We cannot allocate more memory than SIZE_MAX. */
		45	+ abort();
		46	+ }
		47	+ while (want >= (need - buf->used)) {
		48	+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
		49	+ /* need would overflow. */
		50	+ abort();
		51	+ }
		52	+ need <<= 1;
		53	+ }
		54
		55	if (need != buf->len) {
		56	buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
		57	--
		58	2.34.1
		59


diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch new file mode 100644 index 000000000..47454dc8a --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch
@@ -0,0 +1,35 @@
		1	Fix memory leaks. Taken from the Fedora packaging (https://src.fedoraproject.org/rpms/yajl)
		2	where it was backported from openEuler.
		3
		4	CVE: CVE-2023-33460
		5	Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/250]
		6	Signed-off-by: Ross Burton <ross.burton@arm.com>
		7
		8	diff --git a/src/yajl_tree.c b/src/yajl_tree.c
		9	index 3d357a3..56c7012 100644
		10	--- a/src/yajl_tree.c
		11	+++ b/src/yajl_tree.c
		12	@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
		13	ctx->stack = stack->next;
		14
		15	v = stack->value;
		16	-
		17	+ free (stack->key);
		18	free (stack);
		19
		20	return (v);
		21	@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
		22	snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
		23	YA_FREE(&(handle->alloc), internal_err_str);
		24	}
		25	+ while(ctx.stack != NULL) {
		26	+ yajl_val v = context_pop(&ctx);
		27	+ yajl_tree_free(v);
		28	+ }
		29	yajl_free (handle);
		30	+ //If the requested memory is not released in time, it will cause memory leakage
		31	+ if(ctx.root)
		32	+ yajl_tree_free(ctx.root);
		33	return NULL;
		34	}
		35


diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index cf8dbb183..2a34210f3 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -8,7 +8,11 @@ HOMEPAGE = "http://lloyd.github.com/yajl/"
8	LICENSE = "ISC"	8	LICENSE = "ISC"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"	9	LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
10		10
11	SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https"	11	SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
		12	file://CVE-2017-16516.patch \
		13	file://CVE-2022-24795.patch \
		14	file://CVE-2023-33460.patch \
		15	"
12	SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"	16	SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
13		17
14	S = "${WORKDIR}/git"	18	S = "${WORKDIR}/git"