diff options
| author | Nicolas Graves <ngraves@ngraves.fr> | 2025-03-07 19:28:16 +0100 |
|---|---|---|
| committer | Zheng Junjie <z572@z572.online> | 2025-06-23 12:32:52 +0800 |
| commit | 788e3b87a7dadf93e3834a0f4397afe5c18355b8 (patch) | |
| tree | 2e6d63ea70ef4acb5ebae899f8bdf391adc556a0 | |
| parent | 142a3d5177d3bea52caad8f6a68ece4b034110b1 (diff) | |
gnu: yajl: Patch CVE-2023-33460.
* gnu/packages/patches/yajl-CVE-2023-33460.patch: Add file.
* gnu/local.mk: Record patch.
* gnu/packages/web.scm (yajl)[source]: Record patch.
Signed-off-by: Zheng Junjie <z572@z572.online>
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/yajl-CVE-2023-33460.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/web.scm | 4 |
3 files changed, 42 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 23eecc8a92..1b93c21a33 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -2474,6 +2474,7 @@ dist_patch_DATA = \ %D%/packages/patches/xterm-370-explicit-xcursor.patch \ %D%/packages/patches/xygrib-fix-finding-data.patch \ %D%/packages/patches/xygrib-newer-proj.patch \ + %D%/packages/patches/yajl-CVE-2023-33460.patch \ %D%/packages/patches/yggdrasil-extra-config.patch \ %D%/packages/patches/zig-0.9-build-respect-PKG_CONFIG-env-var.patch \ %D%/packages/patches/zig-0.9-fix-runpath.patch \ diff --git a/gnu/packages/patches/yajl-CVE-2023-33460.patch b/gnu/packages/patches/yajl-CVE-2023-33460.patch new file mode 100644 index 0000000000..9ba6e72774 --- /dev/null +++ b/gnu/packages/patches/yajl-CVE-2023-33460.patch @@ -0,0 +1,38 @@ +Memory leak in yajl 2.1.0 with use of yajl_tree_parse function +See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214 + +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 +--- + src/yajl_tree.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a32..56c7012f 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx) + ctx->stack = stack->next; + + v = stack->value; +- ++ free (stack->key); + free (stack); + + return (v); +@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input, + snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); + YA_FREE(&(handle->alloc), internal_err_str); + } ++ while(ctx.stack != NULL) { ++ yajl_val v = context_pop(&ctx); ++ yajl_tree_free(v); ++ } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 8c1c5506e9..74bdc657fa 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -1749,7 +1749,9 @@ C.") (file-name (git-file-name name version)) (sha256 (base32 - "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml")))) + "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml")) + (patches + (search-patches "yajl-CVE-2023-33460.patch")))) (build-system cmake-build-system) (arguments '(#:phases |