From 75a84c25d61fefc36d70938a696aa1abb7c98b9a Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Fri, 5 Jan 2024 14:45:52 +0100 Subject: [PATCH] yajl-2.1.0-23.el9 - fix CVE-2022-24795 - Related: Jira:RHEL-2112 Signed-off-by: Jindrich Novy --- yajl-2.1.0-CVE-2022-24795.patch | 38 +++++++++++++++++++++++++++++++++ yajl.spec | 8 ++++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 yajl-2.1.0-CVE-2022-24795.patch diff --git a/yajl-2.1.0-CVE-2022-24795.patch b/yajl-2.1.0-CVE-2022-24795.patch new file mode 100644 index 0000000..d27a339 --- /dev/null +++ b/yajl-2.1.0-CVE-2022-24795.patch @@ -0,0 +1,38 @@ +From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001 +From: Jacek Tomasiak +Date: Thu, 12 May 2022 13:02:47 +0200 +Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby) + +The buffer reallocation could cause heap corruption because of `need` +overflow for large inputs. In addition, there's a possible infinite loop +in case `need` reaches zero. + +The fix is to `abort()` if the loop ends with lower value of `need` than +when it started. +--- + src/yajl_buf.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: yajl-2.1.0/src/yajl_buf.c +=================================================================== +diff -up yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795 yajl-2.1.0/src/yajl_buf.c +--- yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795 2024-01-05 14:37:48.291676702 +0100 ++++ yajl-2.1.0/src/yajl_buf.c 2024-01-05 14:38:48.088674110 +0100 +@@ -45,7 +45,16 @@ int yajl_buf_ensure_available(yajl_buf b + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ while (need > 0 && want >= (need - buf->used)) { ++ /* this eventually "overflows" to zero */ ++ need <<= 1; ++ } ++ ++ /* overflow */ ++ if (need < buf->len) { ++ abort(); ++ } ++ + if (need < buf->used) { + return -1; + } diff --git a/yajl.spec b/yajl.spec index 685faf2..19b750d 100644 --- a/yajl.spec +++ b/yajl.spec @@ -3,7 +3,7 @@ Name: yajl Version: 2.1.0 -Release: 22%{?dist} +Release: 23%{?dist} Summary: Yet Another JSON Library (YAJL) License: ISC @@ -26,6 +26,7 @@ Patch4: %{name}-%{version}-dynlink-binaries.patch Patch5: https://github.com/containers/yajl/commit/49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch Patch6: https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch Patch7: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698.patch +Patch8: yajl-2.1.0-CVE-2022-24795.patch BuildRequires: gcc BuildRequires: cmake @@ -56,6 +57,7 @@ necessary for developing against the YAJL library %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build # NB, we are not using upstream's 'configure'/'make' @@ -100,6 +102,10 @@ cd test %changelog +* Fri Jan 05 2024 Jindrich Novy - 2.1.0-23 +- fix CVE-2022-24795 +- Related: Jira:RHEL-2112 + * Wed Jul 12 2023 Jindrich Novy - 2.1.0-22 - fix CVE-2023-33460 - Resolves: #2221253