yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL. References: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64 https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
Created R-jsonlite tracking bugs for this issue: Affects: fedora-all [bug 2072915] Created libbson tracking bugs for this issue: Affects: epel-7 [bug 2072913] Affects: epel-all [bug 2072914] Created yajl tracking bugs for this issue: Affects: fedora-all [bug 2072916]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7524 https://access.redhat.com/errata/RHSA-2022:7524
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8252 https://access.redhat.com/errata/RHSA-2022:8252
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24795
NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3 The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. patched version is 1.4.3 added it to fixed in version.
Vipul, We are using yajl 2.*. Can you identify the v2 version of yajl that this fix is in please? Is it in v2.1?
I think maintainers decided it was not an issue for Yajl and the fix is only applied for yajl-ruby as per maintainers comment. https://github.com/lloyd/yajl/pull/240
the infinite loop that they are talking about seems to fixed in https://github.com/robohack/yajl/commit/166b384aec1cf304859d69f03e42c3ab85c34858 yajl release 2.2
@vinair thanks for the update, we'll push to update with yajl release 2.2.
Vipul, yet another question. This is not a GitHub Repo that I've seen before or was aware of https://github.com/robohack/yajl. Is this the valid repo to use?
ohh my bad for not being more descriptive, I was merely showing you the fix,if you wish to implement it.I dont think lloyd /yajl is actively being maintained.
Ah, gotcha Vipul. Thanks for the follow-up and the pointer.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2063 https://access.redhat.com/errata/RHSA-2024:2063