Your message dated Mon, 24 Jul 2023 16:32:24 +0000
with message-id <[email protected]>
and subject line Bug#1039984: fixed in yajl 2.1.0-3+deb11u2
has caused the Debian Bug report #1039984,
regarding yajl: CVE-2023-33460: Memory leak in yajl 2.1.0 with use of
yajl_tree_parse function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1039984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yajl
Version: 2.1.0-2
Severity: important
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <[email protected]>
The following CVE was published for yajl:
CVE-2023-33460[0]:
There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which
will cause out-of-memory in server and cause crash.
Upstream Issue [1] links to a potential patch [2]
I'm filing this bug as I'm going to fix the issue for ELTS (stretch/jessie)
and then possibly also will NMU for sid, bookworm and bullseye and buster.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
[0] https://security-tracker.debian.org/tracker/CVE-2023-33460
[1] https://github.com/lloyd/yajl/issues/250
[2]
https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
--
Cheers,
tobi
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100,
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: yajl
Source-Version: 2.1.0-3+deb11u2
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yajl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated yajl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Jul 2023 19:55:30 +0200
Source: yajl
Architecture: source
Version: 2.1.0-3+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: John Stamp <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1039984 1040036
Changes:
yajl (2.1.0-3+deb11u2) bullseye; urgency=medium
.
[Tobias Frost]
* Non-maintainer upload.
* Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5:
- CVE-2017-16516: Potential in a denial of service with crafted JSON
file
- CVE-2022-24795: integer overflow which leads to subsequent heap
memory corruption when dealing with large (~2GB) inputs.
- CVE-2023-33460: memory leak which potentially can lead to a out-of-
memory situation and cause a crash.
.
[John Stamp]
* Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
* The patch for CVE-2023-33460 turned out to be incomplete. Fix that.
(Closes: #1039984)
Checksums-Sha1:
aac9ad12d9a96cf7f143dd2519d8eabde9f8ffd0 1980 yajl_2.1.0-3+deb11u2.dsc
ef79354e2721a96be367b8e809baead570c12924 7052
yajl_2.1.0-3+deb11u2.debian.tar.xz
c76501121b4057271c957f2bbed9cf512dbf2726 8644
yajl_2.1.0-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
2ba7f52774411086f7f082cdd7e7928f081216aa596c9660b5ad3de9ba875711 1980
yajl_2.1.0-3+deb11u2.dsc
e942586d6f7990304843050d50d843734fd608f0a3f6b48660972cd93e888799 7052
yajl_2.1.0-3+deb11u2.debian.tar.xz
73ca068f275aee58fc338772cc6106e7e8110a2f47a2d74f52d8e29813920da3 8644
yajl_2.1.0-3+deb11u2_amd64.buildinfo
Files:
d8b1bc027f7e03ec2b13bf0029407b94 1980 libs optional yajl_2.1.0-3+deb11u2.dsc
148b03e929b561f70bfe86cc01b91eb3 7052 libs optional
yajl_2.1.0-3+deb11u2.debian.tar.xz
29a846e44b783f13c0055245aa20ccbc 8644 libs optional
yajl_2.1.0-3+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmS9TnEACgkQkWT6HRe9
XTYZBg//fHytlnzn1HUfU4g9rejP/GaYZtKEs8O82zmD++Y8IsFqSuRl1eYgfFuq
wfCudAsmm3UUFjFMCGIjjo6IiMrB8017nXPdOP3EVnE6EhoeHBary7kLPrR2Dz06
t4NnohkNz/slrv/S1CGMjzMXxvAqlKOmUD7cEVVjmh9Kl2S+8Lhh/RFiMJnVSDpi
2c3Rps4ulm3Szyi6q6reLmPDJv2gUwSVhvEkMIiL071ayDzbCmh7A4XtGNCvjAee
C4ZaEQ5BiY62jmJE6knVTOCHSAhli72tiAdf7d4SDHiXchnai6alAlvR07JaNXFi
lnc5mnhvg+zhYRnXUJLXVpxJqOH3v3SfLGAMvpoMxUIF/gnSu3zVJw+A6YBn+M30
e2+87U8T6mMck6vjZfzZTr1eteFvpsRbcaFRONAMyEXALj68ByKydu7lIFTsMXo9
LVBCiNirYpEq8Ae7fzvzSvYi1Q2r45sRlF9xu+G5QaMpMlb47mGSLp4XLFLoqudg
drMlDlVToRV6qdF5KSlRmJ0go4/A2f09qvmFbn/Q8Sz0o/yVw0zZar83chIwO1rJ
HnE/gYFPO/+sGfULM1yhW7X3bIe/dhGg8pV7455jcUQVTE02BQPpm3cevuKlCkeD
UFY2ZyE31gdvsEDxgbXgnnkeho+NYBc4qI3cdCdpVG0TV7AX1z4=
=a8/U
-----END PGP SIGNATURE-----
--- End Message ---
