Bug 1524439 (CVE-2017-16516) - CVE-2017-16516 rubygem-yajl-ruby: Yajl::Parser.new.parse incorrect parsing
Summary: CVE-2017-16516 rubygem-yajl-ruby: Yajl::Parser.new.parse incorrect parsing
Keywords:
Status: NEW
Alias: CVE-2017-16516
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1524440 1545505 1565292
Blocks: 1524442 1542255
TreeView+ depends on / blocked
 
Reported: 2017-12-11 13:55 UTC by Andrej Nemec
Modified: 2020-07-10 21:32 UTC (History)
26 users (show)

Fixed In Version: rubygem-yajl-ruby 1.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-12-11 13:55:33 UTC
In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.

Upstream issue:

https://github.com/brianmario/yajl-ruby/issues/176

Upstream patch:

https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce

Comment 1 Andrej Nemec 2017-12-11 13:55:53 UTC
Created ruby193-rubygem-yajl-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1524440]


Note You need to log in before you can comment on or make changes to this bug.