Bug 32072

Summary: yajl new security issues CVE-2017-16516 and CVE-2023-33460
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: yajl-2.1.0-6.mga9.src.rpm CVE: CVE-2017-16516, CVE-2023-33460
Status comment:
Bug Depends on:    
Bug Blocks: 30450    

Description David Walser 2023-07-05 22:51:49 CEST 
Debian-LTS has issued an advisory on July 2:
https://www.debian.org/lts/security/2023/dla-3478

Mageia 8 is also affected.
David Walser 2023-07-05 22:52:01 CEST

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 30450

Comment 1 Lewis Smith 2023-07-07 20:43:30 CEST 
I could not find the patch in question from the link.

Assigning anyway to Yves who is the most recent committer of this.

Assignee: bugsquad => yves.brungard_mageia

Comment 2 David Walser 2023-07-17 22:04:56 CEST 
Debian-LTS has issued an advisory for this on July 11:
https://www.debian.org/lts/security/2023/dla-3492

We should make sure we have the additional patch for CVE-2017-16516.
Comment 3 Nicolas Salguero 2024-03-14 10:10:03 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service. (CVE-2017-16516)

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. (CVE-2023-33460)

References:
https://www.debian.org/lts/security/2023/dla-3478
https://www.debian.org/lts/security/2023/dla-3492
========================

Updated packages in core/updates_testing:
========================
lib(64)yajl2-2.1.0-6.1.mga9
lib(64)yajl-devel-2.1.0-6.1.mga9
yajl-2.1.0-6.1.mga9

from SRPM:
yajl-2.1.0-6.1.mga9.src.rpm

Assignee: yvesbrungard => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 9
CVE: (none) => CVE-2017-16516, CVE-2023-33460
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Summary: yajl new security issue CVE-2023-33460 => yajl new security issues CVE-2017-16516 and CVE-2023-33460

katnatek 2024-03-14 20:42:57 CET

Keywords: (none) => advisory

Comment 4 Herman Viaene 2024-03-15 10:11:58 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
No further info in previous bugs or wiki and
# urpmq --whatrequires yajl
libguestfs
yajl
isn't very helpfull either. As this is a library, OK on clean install.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2024-03-15 23:29:46 CET 
urpmq --whatrequires-recursive lib64yajl2 gives a much longer list, but still not too helpful - unless you are very familiar with managing VMs. 

I'm going to call it good enough. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2024-03-15 23:53:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0066.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED