908036 – (CVE-2023-33460) <dev-libs/yajl-2.1.0-r4: memory leak

Bug 908036 (CVE-2023-33460) - <dev-libs/yajl-2.1.0-r4: memory leak

Summary: <dev-libs/yajl-2.1.0-r4: memory leak

Status:	RESOLVED FIXED

Alias:	CVE-2023-33460

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/lloyd/yajl/issues/250
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	910383
Blocks:
	Show dependency tree

Reported:	2023-06-08 04:19 UTC by John Helmert III
Modified:	2023-09-17 11:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-06-08 04:19:52 UTC

CVE-2023-33460:

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Seems there's a patch available.

Comment 1 Larry the Git Cow gentoo-dev

2023-07-09 05:56:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=292d37d5785fef12129973cd07a2f7731303d989

commit 292d37d5785fef12129973cd07a2f7731303d989
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-07-09 05:55:48 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-07-09 05:55:57 +0000

    dev-libs/yajl: update EAPI 7 -> 8, fix memory leak
    
    Bug: https://bugs.gentoo.org/908036
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-libs/yajl/files/yajl-2.1.0-memory-leak.patch | 23 +++++++++++++++
 dev-libs/yajl/yajl-2.1.0-r4.ebuild               | 37 ++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2023-08-17 19:21:56 UTC

Cleanup done.

Comment 3 Hans de Graaff gentoo-dev

2023-09-09 08:14:17 UTC

GLSA vote: no.