Package: yajl Version: 2.1.0-3 Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for yajl (versioned as 2.1.0-3.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2018-10-03 00:51:58.000000000 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-01 14:38:32.000000000 +0200 @@ -1,3 +1,11 @@ +yajl (2.1.0-3.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Import upstream patch for CVE-2023-33460. (Closes: #1039984) + * Fix d/control Homepage field (Closes: #1040034) + + -- Tobias Frost <t...@debian.org> Sat, 01 Jul 2023 14:38:32 +0200 + yajl (2.1.0-3) unstable; urgency=medium [ Jelmer Vernooij ] diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control --- yajl-2.1.0/debian/control 2018-10-02 23:59:41.000000000 +0200 +++ yajl-2.1.0/debian/control 2023-07-01 14:38:32.000000000 +0200 @@ -5,7 +5,7 @@ Build-Depends: debhelper (>= 11), cmake, doxygen Standards-Version: 4.2.1 Rules-Requires-Root: no -Homepage: http://lloyd.github.com/yajl/ +Homepage: https://lloyd.github.io/yajl/ Vcs-Browser: https://github.com/jstamp/yajl Vcs-Git: https://github.com/jstamp/yajl.git diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-01 14:38:32.000000000 +0200 @@ -0,0 +1,21 @@ +Description: Fix for CVE-2023-33460a + Memory leak in yajl 2.1.0 with use of yajl_tree_parse function +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -445,6 +445,9 @@ + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series --- yajl-2.1.0/debian/patches/series 2015-09-25 14:44:02.000000000 +0200 +++ yajl-2.1.0/debian/patches/series 2023-07-01 14:37:45.000000000 +0200 @@ -1,2 +1,3 @@ dynamically-link-tools.patch multiarch.patch +CVE-2023-33460.patch
signature.asc
Description: PGP signature