Bug#1040039: yajl: diff for NMU version 2.1.0-3.1

Sat, 01 Jul 2023 05:57:16 -0700 

Package: yajl
Version: 2.1.0-3
Severity: normal
Tags: patch  pending


Dear maintainer,

I've prepared an NMU for yajl (versioned as 2.1.0-3.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.


diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog	2018-10-03 00:51:58.000000000 +0200
+++ yajl-2.1.0/debian/changelog	2023-07-01 14:38:32.000000000 +0200
@@ -1,3 +1,11 @@
+yajl (2.1.0-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Import upstream patch for CVE-2023-33460. (Closes: #1039984)
+  * Fix d/control Homepage field (Closes: #1040034)
+
+ -- Tobias Frost <t...@debian.org>  Sat, 01 Jul 2023 14:38:32 +0200
+
 yajl (2.1.0-3) unstable; urgency=medium
 
   [ Jelmer Vernooij ]
diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control
--- yajl-2.1.0/debian/control	2018-10-02 23:59:41.000000000 +0200
+++ yajl-2.1.0/debian/control	2023-07-01 14:38:32.000000000 +0200
@@ -5,7 +5,7 @@
 Build-Depends: debhelper (>= 11), cmake, doxygen
 Standards-Version: 4.2.1
 Rules-Requires-Root: no
-Homepage: http://lloyd.github.com/yajl/
+Homepage: https://lloyd.github.io/yajl/
 Vcs-Browser: https://github.com/jstamp/yajl
 Vcs-Git: https://github.com/jstamp/yajl.git
 
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch	1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch	2023-07-01 14:38:32.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2023-33460a
+ Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -445,6 +445,9 @@
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
+         yajl_free (handle);
++	//If the requested memory is not released in time, it will cause memory leakage
++	if(ctx.root)
++	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series	2015-09-25 14:44:02.000000000 +0200
+++ yajl-2.1.0/debian/patches/series	2023-07-01 14:37:45.000000000 +0200
@@ -1,2 +1,3 @@
 dynamically-link-tools.patch
 multiarch.patch
+CVE-2023-33460.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to