Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908036 (CVE-2023-33460) - <dev-libs/yajl-2.1.0-r4: memory leak
Summary: <dev-libs/yajl-2.1.0-r4: memory leak
Alias: CVE-2023-33460
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: 910383
  Show dependency tree
Reported: 2023-06-08 04:19 UTC by John Helmert III
Modified: 2023-09-17 11:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-08 04:19:52 UTC

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Seems there's a patch available.
Comment 1 Larry the Git Cow gentoo-dev 2023-07-09 05:56:31 UTC
The bug has been referenced in the following commit(s):

commit 292d37d5785fef12129973cd07a2f7731303d989
Author:     Hans de Graaff <>
AuthorDate: 2023-07-09 05:55:48 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-07-09 05:55:57 +0000

    dev-libs/yajl: update EAPI 7 -> 8, fix memory leak
    Signed-off-by: Hans de Graaff <>

 dev-libs/yajl/files/yajl-2.1.0-memory-leak.patch | 23 +++++++++++++++
 dev-libs/yajl/yajl-2.1.0-r4.ebuild               | 37 ++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-08-17 19:21:56 UTC
Cleanup done.
Comment 3 Hans de Graaff gentoo-dev Security 2023-09-09 08:14:17 UTC
GLSA vote: no.