rpms/yajl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8s
Branches Tags
rpms:c8s
rpms:c10s
rpms:c9s
rpms:c8
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:imports/c10s/yajl-2.1.0-24.el10
rpms:imports/c8/yajl-2.1.0-12.el8
rpms:imports/c9/yajl-2.1.0-22.el9
rpms:imports/c8-beta/yajl-2.1.0-12.el8
rpms:imports/c9-beta/yajl-2.1.0-22.el9
rpms:imports/c8/yajl-2.1.0-11.el8
rpms:imports/c9-beta/yajl-2.1.0-21.el9
rpms:imports/c8-beta/yajl-2.1.0-11.el8
rpms:imports/c9/yajl-2.1.0-21.el9
rpms:imports/c9/yajl-2.1.0-21.el9_0
rpms:imports/c9/yajl-2.1.0-20.el9
rpms:imports/c8s/yajl-2.1.0-11.el8
rpms:imports/c9-beta/yajl-2.1.0-20.el9
rpms:imports/c9-beta/yajl-2.1.0-18.el9
rpms:imports/c8-beta/yajl-2.1.0-10.el8
rpms:imports/c8/yajl-2.1.0-10.el8
rpms:imports/c8s/yajl-2.1.0-10.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c10s
rpms:c9s
rpms:c8s
rpms:c8
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:imports/c10s/yajl-2.1.0-24.el10
rpms:imports/c8/yajl-2.1.0-12.el8
rpms:imports/c9/yajl-2.1.0-22.el9
rpms:imports/c8-beta/yajl-2.1.0-12.el8
rpms:imports/c9-beta/yajl-2.1.0-22.el9
rpms:imports/c8/yajl-2.1.0-11.el8
rpms:imports/c9-beta/yajl-2.1.0-21.el9
rpms:imports/c8-beta/yajl-2.1.0-11.el8
rpms:imports/c9/yajl-2.1.0-21.el9
rpms:imports/c9/yajl-2.1.0-21.el9_0
rpms:imports/c9/yajl-2.1.0-20.el9
rpms:imports/c8s/yajl-2.1.0-11.el8
rpms:imports/c9-beta/yajl-2.1.0-20.el9
rpms:imports/c9-beta/yajl-2.1.0-18.el9
rpms:imports/c8-beta/yajl-2.1.0-10.el8
rpms:imports/c8/yajl-2.1.0-10.el8
rpms:imports/c8s/yajl-2.1.0-10.el8

No commits in common. "c8s" and "c10s" have entirely different histories.
c8s ... c10s

17 changed files with 300 additions and 219 deletions
Show Stats Expand all files Collapse all files

23
yajl-2.1.0-pkgconfig-location.patch → 0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch
View File

@ -1,6 +1,20 @@
diff -rup yajl-2.1.0.orig/src/CMakeLists.txt yajl-2.1.0.new/src/CMakeLists.txt
--- yajl-2.1.0.orig/src/CMakeLists.txt 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/src/CMakeLists.txt 2014-04-28 11:19:28.431492533 +0100
From a319e9c853d787a9033e14436a5a80381e954a26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 13:42:30 +0100
Subject: [PATCH 1/8] pkg-config file should be in lib dir, not shared data dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/CMakeLists.txt | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 99cf9e9..789ddf9 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -30,7 +30,7 @@ ADD_DEFINITIONS(-DYAJL_BUILD)
# set up some paths
SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
@ -25,3 +39,6 @@ diff -rup yajl-2.1.0.orig/src/CMakeLists.txt yajl-2.1.0.new/src/CMakeLists.txt
INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl)
-INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig)
+INSTALL(FILES ${pkgconfigDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig)
--
2.41.0

30
0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch Normal file
View File

@ -0,0 +1,30 @@
From 0eaa8db35c9e580f27ba0c90d11b173cb1d96687 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 13:43:25 +0100
Subject: [PATCH 2/8] pkg-config include dir should not have the 'yajl' suffix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Apps use '#include <yajl/yajl.h>' for includes historically.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/yajl.pc.cmake | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/yajl.pc.cmake b/src/yajl.pc.cmake
index 6eaca14..485ded9 100644
--- a/src/yajl.pc.cmake
+++ b/src/yajl.pc.cmake
@@ -1,6 +1,6 @@
prefix=${CMAKE_INSTALL_PREFIX}
libdir=${dollar}{prefix}/lib${LIB_SUFFIX}
-includedir=${dollar}{prefix}/include/yajl
+includedir=${dollar}{prefix}/include
Name: Yet Another JSON Library
Description: A Portable JSON parsing and serialization library in ANSI C
--
2.41.0

31
yajl-2.1.0-test-location.patch → 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
View File

@ -1,6 +1,21 @@
diff -rup yajl-2.1.0.orig/test/api/run_tests.sh yajl-2.1.0.new/test/api/run_tests.sh
--- yajl-2.1.0.orig/test/api/run_tests.sh 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/test/api/run_tests.sh 2014-04-28 11:27:26.006405320 +0100
From 39b9c104275a5eac498f5d2a92b462d10381a9eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 13:44:26 +0100
Subject: [PATCH 3/8] fix patch to test files to take account of vpath
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
test/api/run_tests.sh | 2 +-
test/parsing/run_tests.sh | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/test/api/run_tests.sh b/test/api/run_tests.sh
index 6655152..88e43fb 100755
--- a/test/api/run_tests.sh
+++ b/test/api/run_tests.sh
@@ -5,7 +5,7 @@ echo Running api tests:
tests=0
passed=0
@ -10,9 +25,10 @@ diff -rup yajl-2.1.0.orig/test/api/run_tests.sh yajl-2.1.0.new/test/api/run_test
[ ! -x $file -o -d $file ] && continue
tests=`expr 1 + $tests`
printf " test(%s): " $file
diff -rup yajl-2.1.0.orig/test/parsing/run_tests.sh yajl-2.1.0.new/test/parsing/run_tests.sh
--- yajl-2.1.0.orig/test/parsing/run_tests.sh 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/test/parsing/run_tests.sh 2014-04-28 11:25:51.239025722 +0100
diff --git a/test/parsing/run_tests.sh b/test/parsing/run_tests.sh
index b37e4dd..ceb2e7a 100755
--- a/test/parsing/run_tests.sh
+++ b/test/parsing/run_tests.sh
@@ -16,11 +16,11 @@ fi
# find test binary on both platforms. allow the caller to force a
# particular test binary (useful for non-cmake build systems).
@ -28,3 +44,6 @@ diff -rup yajl-2.1.0.orig/test/parsing/run_tests.sh yajl-2.1.0.new/test/parsing/
if [ ! -x $testBin ] ; then
${ECHO} "cannot execute test binary: '$testBin'"
exit 1;
--
2.41.0

43
0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch Normal file
View File

@ -0,0 +1,43 @@
From c98c00d6957601b95f3982f3d9460868469a299e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 13:45:36 +0100
Subject: [PATCH 4/8] drop bogus '_s' suffix from yajl dynamic library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
reformatter/CMakeLists.txt | 2 +-
verify/CMakeLists.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/reformatter/CMakeLists.txt b/reformatter/CMakeLists.txt
index 52a9bee..4b7b3fa 100644
--- a/reformatter/CMakeLists.txt
+++ b/reformatter/CMakeLists.txt
@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
ADD_EXECUTABLE(json_reformat ${SRCS})
-TARGET_LINK_LIBRARIES(json_reformat yajl_s)
+TARGET_LINK_LIBRARIES(json_reformat yajl)
# In some environments, we must explicitly link libm (like qnx,
# thanks @shahbag)
diff --git a/verify/CMakeLists.txt b/verify/CMakeLists.txt
index 967fca1..2bceb26 100644
--- a/verify/CMakeLists.txt
+++ b/verify/CMakeLists.txt
@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
ADD_EXECUTABLE(json_verify ${SRCS})
-TARGET_LINK_LIBRARIES(json_verify yajl_s)
+TARGET_LINK_LIBRARIES(json_verify yajl)
# copy in the binary
GET_TARGET_PROPERTY(binPath json_verify LOCATION)
--
2.41.0

43
0005-Fix-for-CVE-2017-16516.patch Normal file
View File

@ -0,0 +1,43 @@
From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 13:36:10 +0100
Subject: [PATCH 5/8] Fix for CVE-2017-16516
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Description: Fix for CVE-2017-16516
Potential buffer overread: A JSON file can cause denial of service.
Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
Bug: https://github.com/lloyd/yajl/issues/248
Patch taken from Debian package source
NB, Fedora code can't trigger the reported aborts since it passes the
-DNDEBUG flag, but pulling the fix for robustness in case a future
change enables the assert()s.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/yajl_encode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/yajl_encode.c b/src/yajl_encode.c
index fd08258..0d97cc5 100644
--- a/src/yajl_encode.c
+++ b/src/yajl_encode.c
@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
end+=3;
/* check if this is a surrogate */
if ((codepoint & 0xFC00) == 0xD800) {
- end++;
- if (str[end] == '\\' && str[end + 1] == 'u') {
+ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
+ end++;
unsigned int surrogate = 0;
hexToDigit(&surrogate, str + end + 2);
codepoint =
--
2.41.0

60
0006-Fix-CVE-2022-24795.patch Normal file
View File

@ -0,0 +1,60 @@
From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 7 Apr 2022 17:29:54 +0200
Subject: [PATCH 6/8] Fix CVE-2022-24795
There was an integer overflow in yajl_buf_ensure_available() leading
to allocating less memory than requested. Then data were written past
the allocated heap buffer in yajl_buf_append(), the only caller of
yajl_buf_ensure_available(). Another result of the overflow was an
infinite loop without a return from yajl_buf_ensure_available().
yajl-ruby project, which bundles yajl, fixed it
<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
integer overflow, fortifying buffer allocations, and report the
failures to a caller. But then the caller yajl_buf_append() skips
a memory write if yajl_buf_ensure_available() failed leading to a data
corruption.
A yajl fork mainter recommended calling memory allocation callbacks with
the large memory request and let them to handle it. But that has the
problem that it's not possible pass the overely large size to the
callbacks.
This patch catches the integer overflow and terminates the process
with abort().
https://github.com/lloyd/yajl/issues/239
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
(cherry picked from commit 23cea2d7677e396efed78bbf1bf153961fab6bad
in https://github.com/ppisar/yajl)
---
src/yajl_buf.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/yajl_buf.c b/src/yajl_buf.c
index 1aeafde..55c11ad 100644
--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
need = buf->len;
- while (want >= (need - buf->used)) need <<= 1;
+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+ /* We cannot allocate more memory than SIZE_MAX. */
+ abort();
+ }
+ while (want >= (need - buf->used)) {
+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+ /* need would overflow. */
+ abort();
+ }
+ need <<= 1;
+ }
if (need != buf->len) {
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
--
2.41.0

13
3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch → 0007-yajl-fix-memory-leak-problem.patch
View File

@ -1,15 +1,19 @@
From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001
From c4304a2c04a1b392eb1464a9da892a9e0dff7683 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Thu, 14 Feb 2019 03:12:30 +0800
Subject: [PATCH] yajl: fix memory leak problem
Subject: [PATCH 7/8] yajl: fix memory leak problem
reason: fix memory leak problem
(cherry picked from commit 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf
in https://github.com/openEuler-BaseService)
Fixes: https://github.com/lloyd/yajl/issues/250 (CVE-2023-33460)
---
src/yajl_tree.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/yajl_tree.c b/src/yajl_tree.c
index 3d357a32..4b3cf2b1 100644
index 3d357a3..4b3cf2b 100644
--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
@ -32,3 +36,6 @@ index 3d357a32..4b3cf2b1 100644
yajl_free (handle);
return NULL;
}
--
2.41.0

15
23a122eddaa28165a6c219000adcc31ff9a8a698.patch → 0008-fix-memory-leaks.patch
View File

@ -1,17 +1,21 @@
From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
From 9cb871049261eeda844b8943d15580763a0ac3d3 Mon Sep 17 00:00:00 2001
From: "zhang.jiujiu" <282627424@qq.com>
Date: Tue, 7 Dec 2021 22:37:02 +0800
Subject: [PATCH] fix memory leaks
Subject: [PATCH 8/8] fix memory leaks
(cherry picked from commit 23a122eddaa28165a6c219000adcc31ff9a8a698
in https://github.com/openEuler-BaseService)
Fixes: https://github.com/lloyd/yajl/issues/250 (CVE-2023-33460)
---
src/yajl_tree.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/yajl_tree.c b/src/yajl_tree.c
index b9e66043..0e7bde98 100644
index 4b3cf2b..56c7012 100644
--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input,
@@ -449,6 +449,9 @@ yajl_val yajl_tree_parse (const char *input,
yajl_tree_free(v);
}
yajl_free (handle);
@ -21,3 +25,6 @@ index b9e66043..0e7bde98 100644
return NULL;
}
--
2.41.0

54
49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch
View File

@ -1,54 +0,0 @@
From 49923ccb2143e36850bcdeb781e2bcdf5ce22f15 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 2 Mar 2022 14:17:59 -0800
Subject: [PATCH] Check need < buf->used
We're guaranteed a power of 2 so that this becomes 0, but we might as
well use a check for overflow that works in more cases.
Unsigned integer overflow is defined behaviour, so this should be safe.
(cherry picked from commit 36410d536b676e836637bb20574a56ebc920eb83)
---
src/yajl_buf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/yajl_buf.c b/src/yajl_buf.c
index 1aeafde0..8bd1bea7 100644
--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
@@ -30,7 +30,7 @@ struct yajl_buf_t {
};
static
-void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+int yajl_buf_ensure_available(yajl_buf buf, size_t want)
{
size_t need;
@@ -46,11 +46,15 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
need = buf->len;
while (want >= (need - buf->used)) need <<= 1;
+ if (need < buf->used) {
+ return -1;
+ }
if (need != buf->len) {
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
buf->len = need;
}
+ return 0;
}
yajl_buf yajl_buf_alloc(yajl_alloc_funcs * alloc)
@@ -70,7 +74,8 @@ void yajl_buf_free(yajl_buf buf)
void yajl_buf_append(yajl_buf buf, const void * data, size_t len)
{
- yajl_buf_ensure_available(buf, len);
+ if (yajl_buf_ensure_available(buf, len))
+ return;
if (len > 0) {
assert(data != NULL);
memcpy(buf->data + buf->used, data, len);

2
gating.yaml
View File

@ -1,6 +1,6 @@
# recipients: jnovy, lsm5, santiago
--- !Policy
product_versions:
- rhel-8
- rhel-10
decision_context: osci_compose_gate
rules: []

13
lloyd-yajl-2.0.4-pkgconfig-includedir.patch
View File

@ -1,13 +0,0 @@
Only in lloyd-yajl-fee1ebe.new/src: CMakeLists.txt~
diff -rup lloyd-yajl-fee1ebe.orig/src/yajl.pc.cmake lloyd-yajl-fee1ebe.new/src/yajl.pc.cmake
--- lloyd-yajl-fee1ebe.orig/src/yajl.pc.cmake 2011-12-20 00:23:22.000000000 +0000
+++ lloyd-yajl-fee1ebe.new/src/yajl.pc.cmake 2012-08-06 14:05:49.639854538 +0100
@@ -1,6 +1,6 @@
prefix=${CMAKE_INSTALL_PREFIX}
libdir=${dollar}{prefix}/lib${LIB_SUFFIX}
-includedir=${dollar}{prefix}/include/yajl
+includedir=${dollar}{prefix}/include
Name: Yet Another JSON Library
Description: A Portable JSON parsing and serialization library in ANSI C
Only in lloyd-yajl-fee1ebe.new/src: yajl.pc.cmake~

29
lloyd-yajl-2.0.4-pkgconfig-location.patch
View File

@ -1,29 +0,0 @@
diff -rup lloyd-yajl-fee1ebe.orig/src/CMakeLists.txt lloyd-yajl-fee1ebe.new/src/CMakeLists.txt
--- lloyd-yajl-fee1ebe.orig/src/CMakeLists.txt 2011-12-20 00:23:22.000000000 +0000
+++ lloyd-yajl-fee1ebe.new/src/CMakeLists.txt 2012-08-06 13:59:02.222065755 +0100
@@ -30,7 +30,7 @@ ADD_DEFINITIONS(-DYAJL_BUILD)
# set up some paths
SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
SET (incDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/include/yajl)
-SET (shareDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/share/pkgconfig)
+SET (pkgconfigDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib/pkgconfig)
# set the output path for libraries
SET(LIBRARY_OUTPUT_PATH ${libDir})
@@ -61,7 +61,7 @@ FILE(MAKE_DIRECTORY ${incDir})
# generate build-time source
SET(dollar $)
CONFIGURE_FILE(api/yajl_version.h.cmake ${incDir}/yajl_version.h)
-CONFIGURE_FILE(yajl.pc.cmake ${shareDir}/yajl.pc)
+CONFIGURE_FILE(yajl.pc.cmake ${pkgconfigDir}/yajl.pc)
# copy public headers to output directory
FOREACH (header ${PUB_HDRS})
@@ -82,5 +82,5 @@ IF(NOT WIN32)
INSTALL(TARGETS yajl_s ARCHIVE DESTINATION lib${LIB_SUFFIX})
INSTALL(FILES ${PUB_HDRS} DESTINATION include/yajl)
INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl)
- INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig)
+ INSTALL(FILES ${pkgconfigDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig)
ENDIF()
Only in lloyd-yajl-fee1ebe.new/src: CMakeLists.txt~

2
sources
View File

@ -1 +1 @@
SHA512 (yajl-2.1.0.tar.gz) = 9e786d080803df80ec03a9c2f447501e6e8e433a6baf636824bc1d50ecf4f5f80d7dfb1d47958aeb0a30fe459bd0ef033d41bc6a79e1dc6e6b5eade930b19b02
6887e0ed7479d2549761a4d284d3ecb0 yajl-2.1.0.tar.gz

38
yajl-2.1.0-CVE-2022-24795.patch
View File

@ -1,38 +0,0 @@
From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Date: Thu, 12 May 2022 13:02:47 +0200
Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby)
The buffer reallocation could cause heap corruption because of `need`
overflow for large inputs. In addition, there's a possible infinite loop
in case `need` reaches zero.
The fix is to `abort()` if the loop ends with lower value of `need` than
when it started.
---
src/yajl_buf.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
Index: yajl-2.1.0/src/yajl_buf.c
===================================================================
diff -up yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795 yajl-2.1.0/src/yajl_buf.c
--- yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795 2024-01-05 14:37:48.291676702 +0100
+++ yajl-2.1.0/src/yajl_buf.c 2024-01-05 14:38:48.088674110 +0100
@@ -45,7 +45,16 @@ int yajl_buf_ensure_available(yajl_buf b
need = buf->len;
- while (want >= (need - buf->used)) need <<= 1;
+ while (need > 0 && want >= (need - buf->used)) {
+ /* this eventually "overflows" to zero */
+ need <<= 1;
+ }
+
+ /* overflow */
+ if (need < buf->len) {
+ abort();
+ }
+
if (need < buf->used) {
return -1;
}

28
yajl-2.1.0-dynlink-binaries.patch
View File

@ -1,28 +0,0 @@
diff -rup yajl-2.1.0.orig/reformatter/CMakeLists.txt yajl-2.1.0.new/reformatter/CMakeLists.txt
--- yajl-2.1.0.orig/reformatter/CMakeLists.txt 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/reformatter/CMakeLists.txt 2014-04-28 11:36:11.909478329 +0100
@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_
ADD_EXECUTABLE(json_reformat ${SRCS})
-TARGET_LINK_LIBRARIES(json_reformat yajl_s)
+TARGET_LINK_LIBRARIES(json_reformat yajl)
# In some environments, we must explicitly link libm (like qnx,
# thanks @shahbag)
Only in yajl-2.1.0.new/reformatter: CMakeLists.txt.orig
Only in yajl-2.1.0.new/src: CMakeLists.txt~
Only in yajl-2.1.0.new/test/api: run_tests.sh~
Only in yajl-2.1.0.new/test/parsing: run_tests.sh~
diff -rup yajl-2.1.0.orig/verify/CMakeLists.txt yajl-2.1.0.new/verify/CMakeLists.txt
--- yajl-2.1.0.orig/verify/CMakeLists.txt 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/verify/CMakeLists.txt 2014-04-28 11:36:11.909478329 +0100
@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_
ADD_EXECUTABLE(json_verify ${SRCS})
-TARGET_LINK_LIBRARIES(json_verify yajl_s)
+TARGET_LINK_LIBRARIES(json_verify yajl)
# copy in the binary
GET_TARGET_PROPERTY(binPath json_verify LOCATION)

11
yajl-2.1.0-pkgconfig-includedir.patch
View File

@ -1,11 +0,0 @@
diff -rup yajl-2.1.0.orig/src/yajl.pc.cmake yajl-2.1.0.new/src/yajl.pc.cmake
--- yajl-2.1.0.orig/src/yajl.pc.cmake 2014-03-19 04:58:29.000000000 +0000
+++ yajl-2.1.0.new/src/yajl.pc.cmake 2014-04-28 11:12:23.505791003 +0100
@@ -1,6 +1,6 @@
prefix=${CMAKE_INSTALL_PREFIX}
libdir=${dollar}{prefix}/lib${LIB_SUFFIX}
-includedir=${dollar}{prefix}/include/yajl
+includedir=${dollar}{prefix}/include
Name: Yet Another JSON Library
Description: A Portable JSON parsing and serialization library in ANSI C

84
yajl.spec
View File

@ -3,7 +3,7 @@
Name: yajl
Version: 2.1.0
Release: 13%{?dist}
Release: 24%{?dist}
Summary: Yet Another JSON Library (YAJL)
License: ISC
@ -19,17 +19,20 @@ URL: http://lloyd.github.com/yajl/
# https://github.com/lloyd/yajl/releases/tag/2.1.0
#
Source0: %{name}-%{version}.tar.gz
Patch1: %{name}-%{version}-pkgconfig-location.patch
Patch2: %{name}-%{version}-pkgconfig-includedir.patch
Patch3: %{name}-%{version}-test-location.patch
Patch4: %{name}-%{version}-dynlink-binaries.patch
Patch5: https://github.com/containers/yajl/commit/49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch
Patch6: https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch
Patch7: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698.patch
Patch8: yajl-2.1.0-CVE-2022-24795.patch
BuildRequires: gcc
# Patches managed at https://github.com/berrange/yajl/tree/fedora-dist-git
Patch: 0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch
Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
Patch: 0005-Fix-for-CVE-2017-16516.patch
Patch: 0006-Fix-CVE-2022-24795.patch
Patch: 0007-yajl-fix-memory-leak-problem.patch
Patch: 0008-fix-memory-leaks.patch
BuildRequires: gcc
BuildRequires: cmake
BuildRequires: git
%package devel
Summary: Libraries, includes, etc to develop with YAJL
@ -49,15 +52,7 @@ This sub-package provides the libraries and includes
necessary for developing against the YAJL library
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%autosetup -S git_am
%build
# NB, we are not using upstream's 'configure'/'make'
@ -102,17 +97,50 @@ cd test
%changelog
* Fri Jan 05 2024 Jindrich Novy <jnovy@redhat.com> - 2.1.0-13
- fix CVE-2022-24795
- Related: RHEL-18753
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.1.0-24
- Bump release for June 2024 mass rebuild
* Wed Jul 12 2023 Jindrich Novy <jnovy@redhat.com> - 2.1.0-12
- fix CVE-2023-33460
- Resolves: #2221252
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Apr 27 2022 Jindrich Novy <jnovy@redhat.com> - 2.1.0-11
- fix CVE-2022-24795
- Related: #2061390
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
- Switch to using git for managing patches
- Fix potential buffer overread (CVE-2017-16516)
- Fix integer overflow leading to heap corruption (CVE-2022-24795)
- Fix multiple memory leaks (CVE-2023-33460)
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild