Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2072912 (CVE-2022-24795) - CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
Summary: CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs du...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24795
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2072913 2072914 2072915 2072916 2074180 2074181 2074182 2074183
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-07 09:24 UTC by Vipul Nair
Modified: 2024-04-25 15:07 UTC (History)
13 users (show)

Fixed In Version: yajl 1.4.3
Clone Of:
Environment:
Last Closed: 2022-12-05 21:03:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github lloyd yajl issues 239 0 None open CVE-2022-24795 2022-04-07 10:14:35 UTC
Red Hat Product Errata RHSA-2022:7524 0 None None None 2022-11-08 09:26:38 UTC
Red Hat Product Errata RHSA-2022:8252 0 None None None 2022-11-15 10:44:43 UTC
Red Hat Product Errata RHSA-2024:2063 0 None None None 2024-04-25 15:07:08 UTC

Description Vipul Nair 2022-04-07 09:24:00 UTC
yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

References:
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6

Comment 1 Vipul Nair 2022-04-07 09:26:22 UTC
Created R-jsonlite tracking bugs for this issue:

Affects: fedora-all [bug 2072915]


Created libbson tracking bugs for this issue:

Affects: epel-7 [bug 2072913]
Affects: epel-all [bug 2072914]


Created yajl tracking bugs for this issue:

Affects: fedora-all [bug 2072916]

Comment 3 errata-xmlrpc 2022-11-08 09:26:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7524 https://access.redhat.com/errata/RHSA-2022:7524

Comment 4 errata-xmlrpc 2022-11-15 10:44:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8252 https://access.redhat.com/errata/RHSA-2022:8252

Comment 5 Product Security DevOps Team 2022-12-05 21:03:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24795

Comment 8 Vipul Nair 2023-12-19 06:04:49 UTC
NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3

The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.

patched version is 1.4.3 added it to fixed in version.

Comment 9 Tom Sweeney 2024-01-05 16:31:01 UTC
Vipul, 

We are using yajl 2.*.  Can you identify the v2 version of yajl that this fix is in please?  Is it in v2.1?

Comment 10 Vipul Nair 2024-01-15 17:43:11 UTC
I think maintainers decided it was not an issue for Yajl and the fix is only applied for yajl-ruby as per maintainers comment.
https://github.com/lloyd/yajl/pull/240

Comment 11 Vipul Nair 2024-01-15 17:44:30 UTC
the infinite loop that they are talking about seems to fixed in https://github.com/robohack/yajl/commit/166b384aec1cf304859d69f03e42c3ab85c34858
yajl release 2.2

Comment 12 Tom Sweeney 2024-01-16 15:33:37 UTC
@vinair thanks for the update, we'll push to update with yajl release 2.2.

Comment 13 Tom Sweeney 2024-01-16 15:45:17 UTC
Vipul, yet another question.  This is not a GitHub Repo that I've seen before or was aware of https://github.com/robohack/yajl.   Is this the valid repo to use?

Comment 14 Vipul Nair 2024-01-17 12:19:12 UTC
ohh my bad for not being more descriptive, I was merely showing you the fix,if you wish to implement it.I dont think lloyd /yajl is actively being maintained.

Comment 15 Tom Sweeney 2024-01-17 20:43:16 UTC
Ah, gotcha Vipul. Thanks for the follow-up and the pointer.

Comment 16 errata-xmlrpc 2024-04-25 15:07:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2063 https://access.redhat.com/errata/RHSA-2024:2063


Note You need to log in before you can comment on or make changes to this bug.