32072 – yajl new security issues CVE-2017-16516 and CVE-2023-33460

Bug 32072 - yajl new security issues CVE-2017-16516 and CVE-2023-33460

Summary: yajl new security issues CVE-2017-16516 and CVE-2023-33460

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	30450
	Show dependency tree / graph

Reported:	2023-07-05 22:51 CEST by David Walser
Modified:	2024-03-15 23:53 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	yajl-2.1.0-6.mga9.src.rpm
CVE:	CVE-2017-16516, CVE-2023-33460
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-07-05 22:51:49 CEST

Debian-LTS has issued an advisory on July 2:
https://www.debian.org/lts/security/2023/dla-3478

Mageia 8 is also affected.

David Walser 2023-07-05 22:52:01 CEST

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 30450

Comment 1 Lewis Smith 2023-07-07 20:43:30 CEST

I could not find the patch in question from the link.

Assigning anyway to Yves who is the most recent committer of this.

Assignee: bugsquad => yves.brungard_mageia

Comment 2 David Walser 2023-07-17 22:04:56 CEST

Debian-LTS has issued an advisory for this on July 11:
https://www.debian.org/lts/security/2023/dla-3492

We should make sure we have the additional patch for CVE-2017-16516.

Comment 3 Nicolas Salguero 2024-03-14 10:10:03 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service. (CVE-2017-16516)

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. (CVE-2023-33460)

References:
https://www.debian.org/lts/security/2023/dla-3478
https://www.debian.org/lts/security/2023/dla-3492
========================

Updated packages in core/updates_testing:
========================
lib(64)yajl2-2.1.0-6.1.mga9
lib(64)yajl-devel-2.1.0-6.1.mga9
yajl-2.1.0-6.1.mga9

from SRPM:
yajl-2.1.0-6.1.mga9.src.rpm

Assignee: yvesbrungard => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 9
CVE: (none) => CVE-2017-16516, CVE-2023-33460
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Summary: yajl new security issue CVE-2023-33460 => yajl new security issues CVE-2017-16516 and CVE-2023-33460

katnatek 2024-03-14 20:42:57 CET

Keywords: (none) => advisory

Comment 4 Herman Viaene 2024-03-15 10:11:58 CET

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
No further info in previous bugs or wiki and
# urpmq --whatrequires yajl
libguestfs
yajl
isn't very helpfull either. As this is a library, OK on clean install.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2024-03-15 23:29:46 CET

urpmq --whatrequires-recursive lib64yajl2 gives a much longer list, but still not too helpful - unless you are very familiar with managing VMs. 

I'm going to call it good enough. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2024-03-15 23:53:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0066.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.