yajl: backport Debian patch for CVE-2022-24795

import patch from ubuntu to fix CVE-2022-24795 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-06-04 09:25:27 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-06-27 11:23:55 -0400
commit: bbbe4d53206f8d545effaa2a1f1caaf9811f8daf (patch)
tree: cdedb8c8f35c15d315d8e1ceea4e4c46e8755b5e /meta-oe
parent: 9fd5ae9132c4d9f5a9b7a272be2ad24bd238f8b6 (diff)
download: meta-openembedded-bbbe4d53206f8d545effaa2a1f1caaf9811f8daf.tar.gz
2 files changed, 62 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
new file mode 100644
index 0000000000..4de46e699d
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,61 @@
+From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH] Fix CVE-2022-24795
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+This patch catches the integer overflow and terminates the process
+with abort().
+https://github.com/lloyd/yajl/issues/239
+https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch
+Upstream commit
+https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad]
+CVE: CVE-2022-24795
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde0..55c11add 100644
+--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
+    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+        /* We cannot allocate more memory than SIZE_MAX. */
+        abort();
+    }
+    while (want >= (need - buf->used)) {
+        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+            /* need would overflow. */
+            abort();
+        }
+        need <<= 1;
+    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
index 697f54d9fb..eca709cc17 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
 SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
           file://CVE-2023-33460.patch \
+           file://CVE-2022-24795.patch \
          "
 SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-06-04 09:25:27 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-06-27 11:23:55 -0400
commit	bbbe4d53206f8d545effaa2a1f1caaf9811f8daf (patch)
tree	cdedb8c8f35c15d315d8e1ceea4e4c46e8755b5e /meta-oe
parent	9fd5ae9132c4d9f5a9b7a272be2ad24bd238f8b6 (diff)
download	meta-openembedded-bbbe4d53206f8d545effaa2a1f1caaf9811f8daf.tar.gz

diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 0000000000..4de46e699d --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,61 @@
		1	From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Thu, 7 Apr 2022 17:29:54 +0200
		4	Subject: [PATCH] Fix CVE-2022-24795
		5
		6	There was an integer overflow in yajl_buf_ensure_available() leading
		7	to allocating less memory than requested. Then data were written past
		8	the allocated heap buffer in yajl_buf_append(), the only caller of
		9	yajl_buf_ensure_available(). Another result of the overflow was an
		10	infinite loop without a return from yajl_buf_ensure_available().
		11
		12	yajl-ruby project, which bundles yajl, fixed it
		13	<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
		14	integer overflow, fortifying buffer allocations, and report the
		15	failures to a caller. But then the caller yajl_buf_append() skips
		16	a memory write if yajl_buf_ensure_available() failed leading to a data
		17	corruption.
		18
		19	A yajl fork mainter recommended calling memory allocation callbacks with
		20	the large memory request and let them to handle it. But that has the
		21	problem that it's not possible pass the overely large size to the
		22	callbacks.
		23
		24	This patch catches the integer overflow and terminates the process
		25	with abort().
		26
		27	https://github.com/lloyd/yajl/issues/239
		28	https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
		29
		30	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch
		31	Upstream commit
		32	https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad]
		33	CVE: CVE-2022-24795
		34	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		35	---
		36	src/yajl_buf.c \| 12 +++++++++++-
		37	1 file changed, 11 insertions(+), 1 deletion(-)
		38
		39	diff --git a/src/yajl_buf.c b/src/yajl_buf.c
		40	index 1aeafde0..55c11add 100644
		41	--- a/src/yajl_buf.c
		42	+++ b/src/yajl_buf.c
		43	@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
		44
		45	need = buf->len;
		46
		47	- while (want >= (need - buf->used)) need <<= 1;
		48	+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
		49	+ /* We cannot allocate more memory than SIZE_MAX. */
		50	+ abort();
		51	+ }
		52	+ while (want >= (need - buf->used)) {
		53	+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
		54	+ /* need would overflow. */
		55	+ abort();
		56	+ }
		57	+ need <<= 1;
		58	+ }
		59
		60	if (need != buf->len) {
		61	buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);


diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index 697f54d9fb..eca709cc17 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
10		10
11	SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \	11	SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
12	file://CVE-2023-33460.patch \	12	file://CVE-2023-33460.patch \
		13	file://CVE-2022-24795.patch \
13	"	14	"
14	SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"	15	SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
15		16