Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:yajl
This upload fixes CVE-2023-33460, a memory leak issue that can cause a crash/DoS. [ Reason ] This upload is part of fixing yajl for every release. So far sid, buster (DLA-3478), stretch and jessie (ELA-888-1) has been targeted. [ Tests ] Package has a test suite which passes. Additionally it has been manually verified using asan that the memory leak is indeed fixed. [ Risks ] Required changes are minimal, see debdiff. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (I've already upload the package to s-p-u) -- tobi
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2018-10-03 00:51:58.000000000 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.000000000 +0200 @@ -1,3 +1,11 @@ +yajl (2.1.0-3+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Import upstream patch for CVE-2023-33460. (Closes: #1039984) + * Fix d/control Homepage field (Closes: #1040034) + + -- Tobias Frost <[email protected]> Sat, 01 Jul 2023 14:55:44 +0200 + yajl (2.1.0-3) unstable; urgency=medium [ Jelmer Vernooij ] diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control --- yajl-2.1.0/debian/control 2018-10-02 23:59:41.000000000 +0200 +++ yajl-2.1.0/debian/control 2023-07-01 14:45:57.000000000 +0200 @@ -5,7 +5,7 @@ Build-Depends: debhelper (>= 11), cmake, doxygen Standards-Version: 4.2.1 Rules-Requires-Root: no -Homepage: http://lloyd.github.com/yajl/ +Homepage: https://lloyd.github.io/yajl/ Vcs-Browser: https://github.com/jstamp/yajl Vcs-Git: https://github.com/jstamp/yajl.git diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-01 14:51:32.000000000 +0200 @@ -0,0 +1,21 @@ +Description: Fix for CVE-2023-33460a + Memory leak in yajl 2.1.0 with use of yajl_tree_parse function +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -445,6 +445,9 @@ + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series --- yajl-2.1.0/debian/patches/series 2015-09-25 14:44:02.000000000 +0200 +++ yajl-2.1.0/debian/patches/series 2023-07-01 14:37:45.000000000 +0200 @@ -1,2 +1,3 @@ dynamically-link-tools.patch multiarch.patch +CVE-2023-33460.patch
