Your message dated Wed, 12 Jul 2023 21:28:39 +0300
with message-id <[email protected]>
and subject line Re: Bug#1040036: yajl: CVE-2017-16516 CVE-2022-24795
has caused the Debian Bug report #1040147,
regarding crun: embedded yajl is vulnerable to CVE-2017-16516 and CVE-2022-24795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1040147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040147
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yajl
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
After preparing the LTS upload of yajl I've seen the following issues in
the upstream github issue tracker:
CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of
service.
CVE-2022-24795 [2] potential integer overflow which can lead to subsequent heap
memory corruption when dealing with large (~2GB) input
The upstream issue tracker also indicates that there might be other
vulnerabilies
(without CVEs or unknown CVEs), but I did not investiage further:
https://github.com/lloyd/yajl/issues/206 (double free)
https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and
out-of-bound)
It seems that the code is unmaintained upstream. It might be a good idea to
evaluate
if any of the forks are more active and whether Debian should move there.
Cheers,
--
tobi
[1] https://github.com/lloyd/yajl/issues/248
Potential fix:
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
[2] https://github.com/lloyd/yajl/issues/239
Potential fix (howver the use of abort() can cause issues.)
https://github.com/lloyd/yajl/pull/240
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100,
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
On Sat, Jul 01, 2023 at 01:03:38PM +0200, Tobias Frost wrote:
> After preparing the LTS upload of yajl I've seen the following issues in
> the upstream github issue tracker:
>
> CVE-2017-16516 [1] portential buffer overread: A JSON file can cause denial of
> service.
>
> CVE-2022-24795 [2] potential integer overflow which can lead to subsequent
> heap
> memory corruption when dealing with large (~2GB) input
>
> The upstream issue tracker also indicates that there might be other
> vulnerabilies
> (without CVEs or unknown CVEs), but I did not investiage further:
> https://github.com/lloyd/yajl/issues/206 (double free)
> https://github.com/lloyd/yajl/issues/204 (Uninitialized memory reads and
> out-of-bound)
>
> It seems that the code is unmaintained upstream. It might be a good idea to
> evaluate
> if any of the forks are more active and whether Debian should move there.
With regards to crun, largely repeating what I just mentioned in another
similar bug, #1039083: the embedded copy is shipped, but not used. This
is the case for all security-supported Debian versions, and is
documented in debian/copyright.
The embedded copy is kept to avoid repacking, given upstream signs their
tarballs. It's only used if a ./configure flag is passed
(--enable-embedded-yajl). I will also add another better-safe-than-sorry
guard in override_dh_gencontrol to ensure this won't happen accidentally
for some reason.
Note for posterity that upstream's embedded copy is a forked version
with some other fixes, hosted at https://github.com/containers/yajl, as
a result of yajl not being maintained, as you mention. Sadly it looks
like that copy has not been patched against these two CVEs. Again,
nothing that affects Debian, but hopefully a useful data point with
regards to the long-term plans for libyajl.
Regards,
Faidon
--- End Message ---
