15 changed files with 200 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,5 @@
-SOURCES/yajl-2.1.0.tar.gz
+.build*.log
+*.rpm
+i386
+x86_64
+*.tar.gz
--- a/.yajl.metadata
+++ b/.yajl.metadata
@ -1 +1 @@
-29ce2b9695ae93e1b0b349a22cea8067f25a9025 SOURCES/yajl-2.1.0.tar.gz
+29ce2b9695ae93e1b0b349a22cea8067f25a9025 yajl-2.1.0.tar.gz
--- a/23a122eddaa28165a6c219000adcc31ff9a8a698.patch
+++ b/23a122eddaa28165a6c219000adcc31ff9a8a698.patch
@ -0,0 +1,23 @@
+From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
+From: "zhang.jiujiu" <282627424@qq.com>
+Date: Tue, 7 Dec 2021 22:37:02 +0800
+Subject: [PATCH] fix memory leaks
+
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index b9e66043..0e7bde98 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input,
+              yajl_tree_free(v);
+         }
+         yajl_free (handle);
+	//If the requested memory is not released in time, it will cause memory leakage
+	if(ctx.root)
+	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
--- a/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch
+++ b/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch
@ -0,0 +1,34 @@
+From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001
+From: wujing <wujing50@huawei.com>
+Date: Thu, 14 Feb 2019 03:12:30 +0800
+Subject: [PATCH] yajl: fix memory leak problem
+
+reason: fix memory leak problem
+---
+ src/yajl_tree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a32..4b3cf2b1 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
+    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input,
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
+        while(ctx.stack != NULL) {
+             yajl_val v = context_pop(&ctx);
+             yajl_tree_free(v);
+        }
+         yajl_free (handle);
+         return NULL;
+     }
--- a/SOURCES/49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch
+++ b/SOURCES/49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+# recipients: jnovy, lsm5, santiago
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules: []
--- a/lloyd-yajl-2.0.4-pkgconfig-includedir.patch
+++ b/lloyd-yajl-2.0.4-pkgconfig-includedir.patch
@ -0,0 +1,13 @@
+Only in lloyd-yajl-fee1ebe.new/src: CMakeLists.txt~
+diff -rup lloyd-yajl-fee1ebe.orig/src/yajl.pc.cmake lloyd-yajl-fee1ebe.new/src/yajl.pc.cmake
+--- lloyd-yajl-fee1ebe.orig/src/yajl.pc.cmake	2011-12-20 00:23:22.000000000 +0000
+++ lloyd-yajl-fee1ebe.new/src/yajl.pc.cmake	2012-08-06 14:05:49.639854538 +0100
+@@ -1,6 +1,6 @@
+ prefix=${CMAKE_INSTALL_PREFIX}
+ libdir=${dollar}{prefix}/lib${LIB_SUFFIX}
+-includedir=${dollar}{prefix}/include/yajl
+includedir=${dollar}{prefix}/include
+ 
+ Name: Yet Another JSON Library
+ Description: A Portable JSON parsing and serialization library in ANSI C
+Only in lloyd-yajl-fee1ebe.new/src: yajl.pc.cmake~
--- a/lloyd-yajl-2.0.4-pkgconfig-location.patch
+++ b/lloyd-yajl-2.0.4-pkgconfig-location.patch
@ -0,0 +1,29 @@
+diff -rup lloyd-yajl-fee1ebe.orig/src/CMakeLists.txt lloyd-yajl-fee1ebe.new/src/CMakeLists.txt
+--- lloyd-yajl-fee1ebe.orig/src/CMakeLists.txt	2011-12-20 00:23:22.000000000 +0000
+++ lloyd-yajl-fee1ebe.new/src/CMakeLists.txt	2012-08-06 13:59:02.222065755 +0100
+@@ -30,7 +30,7 @@ ADD_DEFINITIONS(-DYAJL_BUILD)
+ # set up some paths
+ SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+ SET (incDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/include/yajl)
+-SET (shareDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/share/pkgconfig)
+SET (pkgconfigDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib/pkgconfig)
+ 
+ # set the output path for libraries
+ SET(LIBRARY_OUTPUT_PATH ${libDir})
+@@ -61,7 +61,7 @@ FILE(MAKE_DIRECTORY ${incDir})
+ # generate build-time source
+ SET(dollar $)
+ CONFIGURE_FILE(api/yajl_version.h.cmake ${incDir}/yajl_version.h)
+-CONFIGURE_FILE(yajl.pc.cmake ${shareDir}/yajl.pc)
+CONFIGURE_FILE(yajl.pc.cmake ${pkgconfigDir}/yajl.pc)
+ 
+ # copy public headers to output directory
+ FOREACH (header ${PUB_HDRS})
+@@ -82,5 +82,5 @@ IF(NOT WIN32)
+   INSTALL(TARGETS yajl_s ARCHIVE DESTINATION lib${LIB_SUFFIX})
+   INSTALL(FILES ${PUB_HDRS} DESTINATION include/yajl)
+   INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl)
+-  INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig)
+  INSTALL(FILES ${pkgconfigDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig)
+ ENDIF()
+Only in lloyd-yajl-fee1ebe.new/src: CMakeLists.txt~
--- a/1
+++ b/1
@ -0,0 +1 @@
+6887e0ed7479d2549761a4d284d3ecb0  yajl-2.1.0.tar.gz
--- a/yajl-2.1.0-CVE-2022-24795.patch
+++ b/yajl-2.1.0-CVE-2022-24795.patch
@ -0,0 +1,38 @@
+From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001
+From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Date: Thu, 12 May 2022 13:02:47 +0200
+Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby)
+
+The buffer reallocation could cause heap corruption because of `need`
+overflow for large inputs. In addition, there's a possible infinite loop
+in case `need` reaches zero.
+
+The fix is to `abort()` if the loop ends with lower value of `need` than
+when it started.
+---
+ src/yajl_buf.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: yajl-2.1.0/src/yajl_buf.c
+===================================================================
+diff -up yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795 yajl-2.1.0/src/yajl_buf.c
+--- yajl-2.1.0/src/yajl_buf.c.CVE-2022-24795	2024-01-05 14:37:48.291676702 +0100
+++ yajl-2.1.0/src/yajl_buf.c	2024-01-05 14:38:48.088674110 +0100
+@@ -45,7 +45,16 @@ int yajl_buf_ensure_available(yajl_buf b
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
+    while (need > 0 && want >= (need - buf->used)) {
+        /* this eventually "overflows" to zero */
+        need <<= 1;
+    }
+
+    /* overflow */
+    if (need < buf->len) {
+        abort();
+    }
+
+     if (need < buf->used) {
+          return -1;
+     }
--- a/SOURCES/yajl-2.1.0-dynlink-binaries.patch
+++ b/SOURCES/yajl-2.1.0-dynlink-binaries.patch
--- a/SOURCES/yajl-2.1.0-pkgconfig-includedir.patch
+++ b/SOURCES/yajl-2.1.0-pkgconfig-includedir.patch
--- a/SOURCES/yajl-2.1.0-pkgconfig-location.patch
+++ b/SOURCES/yajl-2.1.0-pkgconfig-location.patch
--- a/SOURCES/yajl-2.1.0-test-location.patch
+++ b/SOURCES/yajl-2.1.0-test-location.patch
--- a/SPECS/yajl.spec
+++ b/SPECS/yajl.spec
@ -3,7 +3,7 @@

 Name: yajl
 Version: 2.1.0
-Release: 11%{?dist}
+Release: 23%{?dist}
 Summary: Yet Another JSON Library (YAJL)

 License: ISC
@ -24,6 +24,9 @@ Patch2: %{name}-%{version}-pkgconfig-includedir.patch
 Patch3: %{name}-%{version}-test-location.patch
 Patch4: %{name}-%{version}-dynlink-binaries.patch
 Patch5: https://github.com/containers/yajl/commit/49923ccb2143e36850bcdeb781e2bcdf5ce22f15.patch
+Patch6: https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf.patch
+Patch7: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698.patch
+Patch8: yajl-2.1.0-CVE-2022-24795.patch

 BuildRequires:  gcc
 BuildRequires: cmake
@ -52,6 +55,9 @@ necessary for developing against the YAJL library
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1

 %build
 # NB, we are not using upstream's 'configure'/'make'
@ -96,9 +102,50 @@ cd test


 %changelog
-* Wed Apr 27 2022 Jindrich Novy <jnovy@redhat.com> - 2.1.0-11
+* Fri Jan 05 2024 Jindrich Novy <jnovy@redhat.com> - 2.1.0-23
 - fix CVE-2022-24795
- Related: #2061390
+- Related: Jira:RHEL-2112
+
+* Wed Jul 12 2023 Jindrich Novy <jnovy@redhat.com> - 2.1.0-22
+- fix CVE-2023-33460
+- Resolves: #2221253
+
+* Tue Apr 26 2022 Jindrich Novy <jnovy@redhat.com> - 2.1.0-21
+- fix CVE-2022-24795
+- Related: #2061316
+
+* Fri Oct 01 2021 Jindrich Novy <jnovy@redhat.com> - 2.1.0-20
+- perform only sanity/installability tests for now
+- Related: #2000051
+
+* Wed Sep 29 2021 Jindrich Novy <jnovy@redhat.com> - 2.1.0-19
+- add gating.yaml
+- Related: #2000051
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.0-18
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.0-17
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
				`@ -0,0 +1 @@`
				`6887e0ed7479d2549761a4d284d3ecb0 yajl-2.1.0.tar.gz`