diff options
4 files changed, 136 insertions, 1 deletions
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch new file mode 100644 index 000000000..1241ff9e3 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2017-16516.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
3 | Date: Mon, 10 Jul 2023 13:36:10 +0100 | ||
4 | Subject: [PATCH] Fix for CVE-2017-16516 | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Description: Fix for CVE-2017-16516 | ||
10 | Potential buffer overread: A JSON file can cause denial of service. | ||
11 | Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce | ||
12 | |||
13 | CVE: CVE-2017-16516 | ||
14 | Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/248] | ||
15 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
16 | --- | ||
17 | src/yajl_encode.c | 4 ++-- | ||
18 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/src/yajl_encode.c b/src/yajl_encode.c | ||
21 | index fd08258..0d97cc5 100644 | ||
22 | --- a/src/yajl_encode.c | ||
23 | +++ b/src/yajl_encode.c | ||
24 | @@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str, | ||
25 | end+=3; | ||
26 | /* check if this is a surrogate */ | ||
27 | if ((codepoint & 0xFC00) == 0xD800) { | ||
28 | - end++; | ||
29 | - if (str[end] == '\\' && str[end + 1] == 'u') { | ||
30 | + if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { | ||
31 | + end++; | ||
32 | unsigned int surrogate = 0; | ||
33 | hexToDigit(&surrogate, str + end + 2); | ||
34 | codepoint = | ||
35 | -- | ||
36 | 2.34.1 | ||
37 | |||
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 000000000..0dc859099 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 17:29:54 +0200 | ||
4 | Subject: [PATCH] Fix CVE-2022-24795 | ||
5 | |||
6 | There was an integer overflow in yajl_buf_ensure_available() leading | ||
7 | to allocating less memory than requested. Then data were written past | ||
8 | the allocated heap buffer in yajl_buf_append(), the only caller of | ||
9 | yajl_buf_ensure_available(). Another result of the overflow was an | ||
10 | infinite loop without a return from yajl_buf_ensure_available(). | ||
11 | |||
12 | yajl-ruby project, which bundles yajl, fixed it | ||
13 | <https://github.com/brianmario/yajl-ruby/pull/211> by checking for the | ||
14 | integer overflow, fortifying buffer allocations, and report the | ||
15 | failures to a caller. But then the caller yajl_buf_append() skips | ||
16 | a memory write if yajl_buf_ensure_available() failed leading to a data | ||
17 | corruption. | ||
18 | |||
19 | A yajl fork mainter recommended calling memory allocation callbacks with | ||
20 | the large memory request and let them to handle it. But that has the | ||
21 | problem that it's not possible pass the overely large size to the | ||
22 | callbacks. | ||
23 | |||
24 | This patch catches the integer overflow and terminates the process | ||
25 | with abort(). | ||
26 | |||
27 | CVE: CVE-2022-24795 | ||
28 | Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239] | ||
29 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
30 | --- | ||
31 | src/yajl_buf.c | 12 +++++++++++- | ||
32 | 1 file changed, 11 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/src/yajl_buf.c b/src/yajl_buf.c | ||
35 | index 1aeafde..55c11ad 100644 | ||
36 | --- a/src/yajl_buf.c | ||
37 | +++ b/src/yajl_buf.c | ||
38 | @@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want) | ||
39 | |||
40 | need = buf->len; | ||
41 | |||
42 | - while (want >= (need - buf->used)) need <<= 1; | ||
43 | + if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { | ||
44 | + /* We cannot allocate more memory than SIZE_MAX. */ | ||
45 | + abort(); | ||
46 | + } | ||
47 | + while (want >= (need - buf->used)) { | ||
48 | + if (need >= (size_t)((size_t)(-1)<<1)>>1) { | ||
49 | + /* need would overflow. */ | ||
50 | + abort(); | ||
51 | + } | ||
52 | + need <<= 1; | ||
53 | + } | ||
54 | |||
55 | if (need != buf->len) { | ||
56 | buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); | ||
57 | -- | ||
58 | 2.34.1 | ||
59 | |||
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch new file mode 100644 index 000000000..47454dc8a --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | Fix memory leaks. Taken from the Fedora packaging (https://src.fedoraproject.org/rpms/yajl) | ||
2 | where it was backported from openEuler. | ||
3 | |||
4 | CVE: CVE-2023-33460 | ||
5 | Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/250] | ||
6 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
7 | |||
8 | diff --git a/src/yajl_tree.c b/src/yajl_tree.c | ||
9 | index 3d357a3..56c7012 100644 | ||
10 | --- a/src/yajl_tree.c | ||
11 | +++ b/src/yajl_tree.c | ||
12 | @@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx) | ||
13 | ctx->stack = stack->next; | ||
14 | |||
15 | v = stack->value; | ||
16 | - | ||
17 | + free (stack->key); | ||
18 | free (stack); | ||
19 | |||
20 | return (v); | ||
21 | @@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input, | ||
22 | snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); | ||
23 | YA_FREE(&(handle->alloc), internal_err_str); | ||
24 | } | ||
25 | + while(ctx.stack != NULL) { | ||
26 | + yajl_val v = context_pop(&ctx); | ||
27 | + yajl_tree_free(v); | ||
28 | + } | ||
29 | yajl_free (handle); | ||
30 | + //If the requested memory is not released in time, it will cause memory leakage | ||
31 | + if(ctx.root) | ||
32 | + yajl_tree_free(ctx.root); | ||
33 | return NULL; | ||
34 | } | ||
35 | |||
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index cf8dbb183..2a34210f3 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb | |||
@@ -8,7 +8,11 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" | |||
8 | LICENSE = "ISC" | 8 | LICENSE = "ISC" |
9 | LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" | 9 | LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" |
10 | 10 | ||
11 | SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https" | 11 | SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ |
12 | file://CVE-2017-16516.patch \ | ||
13 | file://CVE-2022-24795.patch \ | ||
14 | file://CVE-2023-33460.patch \ | ||
15 | " | ||
12 | SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" | 16 | SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" |
13 | 17 | ||
14 | S = "${WORKDIR}/git" | 18 | S = "${WORKDIR}/git" |