Bug 2072912 (CVE-2022-24795)
| Summary: | CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | berrange, bmontgom, eparis, fedora, jburrell, jgrulich, jnovy, jokerman, nstielau, ppisar, quantum.analyst, sponnaga, tsweeney |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | yajl 1.4.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the YAJL library in the way it reallocates a memory buffer to store more data. A very large input causes the value used to calculate the buffer size to overflow, resulting in a heap-based buffer overflow.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-05 21:03:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2072913, 2072914, 2072915, 2072916, 2074180, 2074181, 2074182, 2074183 | ||
| Bug Blocks: | 2072918 | ||
|
Description
Vipul Nair
2022-04-07 09:24:00 UTC
Created R-jsonlite tracking bugs for this issue: Affects: fedora-all [bug 2072915] Created libbson tracking bugs for this issue: Affects: epel-7 [bug 2072913] Affects: epel-all [bug 2072914] Created yajl tracking bugs for this issue: Affects: fedora-all [bug 2072916] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7524 https://access.redhat.com/errata/RHSA-2022:7524 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8252 https://access.redhat.com/errata/RHSA-2022:8252 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24795 NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3 The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. patched version is 1.4.3 added it to fixed in version. Vipul, We are using yajl 2.*. Can you identify the v2 version of yajl that this fix is in please? Is it in v2.1? I think maintainers decided it was not an issue for Yajl and the fix is only applied for yajl-ruby as per maintainers comment. https://github.com/lloyd/yajl/pull/240 the infinite loop that they are talking about seems to fixed in https://github.com/robohack/yajl/commit/166b384aec1cf304859d69f03e42c3ab85c34858 yajl release 2.2 @vinair thanks for the update, we'll push to update with yajl release 2.2. Vipul, yet another question. This is not a GitHub Repo that I've seen before or was aware of https://github.com/robohack/yajl. Is this the valid repo to use? ohh my bad for not being more descriptive, I was merely showing you the fix,if you wish to implement it.I dont think lloyd /yajl is actively being maintained. Ah, gotcha Vipul. Thanks for the follow-up and the pointer. |