Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-16516 #248

Open
pfsmorigo opened this issue Jan 23, 2023 · 1 comment
Open

CVE-2017-16516 #248

pfsmorigo opened this issue Jan 23, 2023 · 1 comment

Comments

@pfsmorigo
Copy link

Hello, yajl-ruby has a fix for CVE-2017-16516 that might be affecting yajl as well. Can you backport it? The commit is brianmario/yajl-ruby@a8ca8f4

Thanks!
berrange added a commit to berrange/yajl that referenced this issue Jul 10, 2023
@berrange
Fix for CVE-2017-16516
91aad89 
Description: Fix for CVE-2017-16516
 Potential buffer overread: A JSON file can cause denial of service.
Origin: brianmario/yajl-ruby@a8ca8f4
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
Bug: lloyd#248

Patch taken from Debian package source

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
berrange added a commit to berrange/yajl that referenced this issue Jul 10, 2023
@berrange
Fix for CVE-2017-16516
0b5e73c 
Description: Fix for CVE-2017-16516
 Potential buffer overread: A JSON file can cause denial of service.
Origin: brianmario/yajl-ruby@a8ca8f4
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
Bug: lloyd#248

Patch taken from Debian package source

NB, Fedora code can't trigger the reported aborts since it passes the
-DNDEBUG flag, but pulling the fix for robustness in case a future
change enables the assert()s.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
@berrange
Copy link

I confirmed the problem affects git master, but only if asserts are enabled. IOW,

  • If you do cmake -DCMAKE_BUILD_TYPE=Debug then the two JSON documents illustrated in SIGABRT - process aborted brianmario/yajl-ruby#176 will trigger asserts.

  • If you use cmake -DCMAKE_BUILD_TYPE=Release, then it will pass -DNDEBUG to CC which disables asserts.

Simply not passing CMAKE_BUILD_TYPE at all appears to have the same behaviour as the Release build on my cmake install at least.

The fix mentioned from yajl-ruby works on git master to avoid the asserts.

reinerh pushed a commit to reinerh/cdogs-sdl that referenced this issue Sep 16, 2023
@brianmario @reinerh
Don't advance our end pointer until we've checked we have enough buff…
b3424fc 
…er left and have peeked ahead to see that a unicode escape is approaching.

Thanks @kivikakk for helping me track down the actual bug here!

Fixes: CVE-2017-16516
Origin: brianmario/yajl-ruby@a8ca8f4
Bug: lloyd/yajl#248
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
cxong pushed a commit to cxong/cdogs-sdl that referenced this issue Sep 18, 2023
@brianmario @cxong
Don't advance our end pointer until we've checked we have enough buff…
2bd5857 
…er left and have peeked ahead to see that a unicode escape is approaching.

Thanks @kivikakk for helping me track down the actual bug here!

Fixes: CVE-2017-16516
Origin: brianmario/yajl-ruby@a8ca8f4
Bug: lloyd/yajl#248
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
likema added a commit to likema/yajl that referenced this issue Dec 2, 2023
@likema
Fix for CVE-2017-16516
d070426 
Potential buffer overread: A JSON file can cause denial of service.

Origin: brianmario/yajl-ruby@a8ca8f4
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
Bug: lloyd#248
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pfsmorigo @berrange