yajl: add mitigation for CVE-2023-33460

lloyd/yajl#250 Signed-off-by: Ariadne Conill <[email protected]>
wolfi-dev · Jul 19, 2023 · 70a1681 · 70a1681
1 parent 48f4cb4
commit 70a1681
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 1 deletion.
diff --git a/yajl.yaml b/yajl.yaml
@@ -1,7 +1,7 @@
 package:
   name: yajl
   version: 2.1.0
-  epoch: 0
+  epoch: 1
   description: Yet Another JSON Library (YAJL)
   copyright:
     - license: MIT
@@ -23,6 +23,10 @@ pipeline:
       expected-sha256: b03bb1283e6b86dfff2aac86d3a92dee3969c03ddd59217cacf8b4aa191ffa49
       uri: https://dev.alpinelinux.org/archive/yajl/yajl-${{package.version}}.tar.gz
 
+  - uses: patch
+    with:
+      patches: CVE-2023-33460.patch
+
   - uses: cmake/configure
 
   - uses: cmake/build

diff --git a/yajl/CVE-2023-33460.patch b/yajl/CVE-2023-33460.patch
@@ -0,0 +1,57 @@
+From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
+From: "zhang.jiujiu" <[email protected]>
+Date: Tue, 7 Dec 2021 22:37:02 +0800
+Subject: [PATCH] fix memory leaks
+
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index b9e66043..0e7bde98 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input,
+              yajl_tree_free(v);
+         }
+         yajl_free (handle);
++	//If the requested memory is not released in time, it will cause memory leakage
++	if(ctx.root)
++	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+
+From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001
+From: wujing <[email protected]>
+Date: Thu, 14 Feb 2019 03:12:30 +0800
+Subject: [PATCH] yajl: fix memory leak problem
+
+reason: fix memory leak problem
+---
+ src/yajl_tree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a32..4b3cf2b1 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+     ctx->stack = stack->next;
+
+     v = stack->value;
+-
++    free (stack->key);
+     free (stack);
+
+     return (v);
+@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input,
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
++        while(ctx.stack != NULL) {
++             yajl_val v = context_pop(&ctx);
++             yajl_tree_free(v);
++        }
+         yajl_free (handle);
+         return NULL;
+     }