From b9e95f336638c63e4f33825384a2829f7c864948 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 10 Jul 2023 14:16:22 +0100 Subject: [PATCH] Fix potential buffer overread (CVE-2017-16516) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- 0005-Fix-for-CVE-2017-16516.patch | 43 +++++++++++++++++++++++++++++++ yajl.spec | 2 ++ 2 files changed, 45 insertions(+) create mode 100644 0005-Fix-for-CVE-2017-16516.patch diff --git a/0005-Fix-for-CVE-2017-16516.patch b/0005-Fix-for-CVE-2017-16516.patch new file mode 100644 index 0000000..7d48816 --- /dev/null +++ b/0005-Fix-for-CVE-2017-16516.patch @@ -0,0 +1,43 @@ +From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 10 Jul 2023 13:36:10 +0100 +Subject: [PATCH 5/8] Fix for CVE-2017-16516 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Description: Fix for CVE-2017-16516 + Potential buffer overread: A JSON file can cause denial of service. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/248 + +Patch taken from Debian package source + +NB, Fedora code can't trigger the reported aborts since it passes the +-DNDEBUG flag, but pulling the fix for robustness in case a future +change enables the assert()s. + +Signed-off-by: Daniel P. Berrangé +--- + src/yajl_encode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/yajl_encode.c b/src/yajl_encode.c +index fd08258..0d97cc5 100644 +--- a/src/yajl_encode.c ++++ b/src/yajl_encode.c +@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str, + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +- end++; +- if (str[end] == '\\' && str[end + 1] == 'u') { ++ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++ end++; + unsigned int surrogate = 0; + hexToDigit(&surrogate, str + end + 2); + codepoint = +-- +2.41.0 + diff --git a/yajl.spec b/yajl.spec index 05f131f..acb531f 100644 --- a/yajl.spec +++ b/yajl.spec @@ -25,6 +25,7 @@ Patch: 0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch +Patch: 0005-Fix-for-CVE-2017-16516.patch BuildRequires: gcc BuildRequires: cmake @@ -95,6 +96,7 @@ cd test %changelog * Mon Jul 10 2023 Daniel P. Berrangé - 2.1.0-21 - Switch to using git for managing patches +- Fix potential buffer overread (CVE-2017-16516) * Sat Jan 21 2023 Fedora Release Engineering - 2.1.0-20 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild