rubygem-yajl-ruby: fix CVE 2022 24795 (#3598)

* rubygem-yajl-ruby : fix CVE-2022-24795 * rubygem-yajl-ruby : fix CVE-2022-24795 * back port patch from 1.4.1 * fix spec issue * address PR comments Co-authored-by: Nicolas Guibourge <[email protected]>
microsoft · Aug 24, 2022 · 7827361 · 7827361
1 parent 72240a4
commit 7827361
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 1 deletion.
diff --git a/SPECS/rubygem-yajl-ruby/CVE-2022-24795.patch b/SPECS/rubygem-yajl-ruby/CVE-2022-24795.patch
@@ -0,0 +1,41 @@
+Nicolas Guibourge, Tue Aug 23 2022, backport from version 1.4.1 to 1.3.1
+From commitid 8daacc158c209ae881db76a762e3f105a22741b9
+From commitid 22aa1e7b8f613263c781f9c44468b997e91ac583
+
+diff -ru yajl-ruby-1.3.1-orig/ext/yajl/api/yajl_gen.h yajl-ruby-1.3.1/ext/yajl/api/yajl_gen.h
+--- yajl-ruby-1.3.1-orig/ext/yajl/api/yajl_gen.h	2017-11-06 22:19:23.000000000 -0800
++++ yajl-ruby-1.3.1/ext/yajl/api/yajl_gen.h	2022-08-23 02:58:32.587721599 -0700
+@@ -63,7 +63,9 @@
+         yajl_gen_invalid_number,
+         /** A print callback was passed in, so there is no internal
+          * buffer to get from */
+-        yajl_gen_no_buf
++        yajl_gen_no_buf,
++        /** Tried to decrement at depth 0 */
++        yajl_depth_underflow
+     } yajl_gen_status;
+
+     /** an opaque handle to a generator */
+diff -ru yajl-ruby-1.3.1-orig/ext/yajl/yajl_gen.c yajl-ruby-1.3.1/ext/yajl/yajl_gen.c
+--- yajl-ruby-1.3.1-orig/ext/yajl/yajl_gen.c	2017-11-06 22:19:23.000000000 -0800
++++ yajl-ruby-1.3.1/ext/yajl/yajl_gen.c	2022-08-23 03:00:27.108553941 -0700
+@@ -178,7 +178,7 @@
+     if (++(g->depth) >= YAJL_MAX_DEPTH) return yajl_max_depth_exceeded;
+
+ #define DECREMENT_DEPTH \
+-    if (--(g->depth) >= YAJL_MAX_DEPTH) return yajl_gen_error;
++    if (--(g->depth) >= YAJL_MAX_DEPTH) return yajl_depth_underflow;
+
+ #define APPENDED_ATOM \
+     switch (g->state[g->depth]) {                   \
+diff -ru yajl-ruby-1.3.1-orig/ext/yajl/yajl_lex.c yajl-ruby-1.3.1/ext/yajl/yajl_lex.c
+--- yajl-ruby-1.3.1-orig/ext/yajl/yajl_lex.c	2017-11-06 22:19:23.000000000 -0800
++++ yajl-ruby-1.3.1/ext/yajl/yajl_lex.c	2022-08-23 03:01:34.613044611 -0700
+@@ -46,6 +46,7 @@
+         case yajl_tok_bool: return "bool";
+         case yajl_tok_colon: return "colon";
+         case yajl_tok_comma: return "comma";
++        case yajl_tok_comment: return "comment";
+         case yajl_tok_eof: return "eof";
+         case yajl_tok_error: return "error";
+         case yajl_tok_left_brace: return "brace";
diff --git a/SPECS/rubygem-yajl-ruby/rubygem-yajl-ruby.spec b/SPECS/rubygem-yajl-ruby/rubygem-yajl-ruby.spec
@@ -3,14 +3,15 @@
 Summary:        A streaming JSON parsing and encoding library for Ruby
 Name:           rubygem-yajl-ruby
 Version:        1.3.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://github.com/brianmario/yajl-ruby
 Source0:        https://github.com/brianmario/yajl-ruby/archive/refs/tags/%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
 Patch0:         fix-file_list.patch
+Patch1:         CVE-2022-24795.patch
 BuildRequires:  git
 BuildRequires:  ruby
 Provides:       rubygem(%{gem_name}) = %{version}-%{release}
@@ -33,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Tue Aug 23 2022 Nicolas Guibourge <[email protected]> - 1.3.1-2
+- Fix CVE-2022-24795.
+
 * Wed Jun 22 2022 Neha Agarwal <[email protected]> - 1.3.1-1
 - Downgrade to v1.3.1.
 - Build from .tar.gz source.