From c9ff829fdb046a774c25cf3ce3382979b795edfd Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Sun, 11 Feb 2024 14:27:25 -0800
Subject: yajl: backport CVE-2023-33460 fix
Removed old uclibc patches. Not relevant with modern musl or glibc.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
libs/yajl/Makefile | 2 +-
libs/yajl/patches/010-CVE-2023-33460.patch | 41 ++++++++++++++++++++++
.../patches/100-link-reformatter-uclibc-libm.patch | 11 ------
libs/yajl/patches/101-link-perf-uclibc-libm.patch | 8 -----
4 files changed, 42 insertions(+), 20 deletions(-)
create mode 100644 libs/yajl/patches/010-CVE-2023-33460.patch
delete mode 100644 libs/yajl/patches/100-link-reformatter-uclibc-libm.patch
delete mode 100644 libs/yajl/patches/101-link-perf-uclibc-libm.patch
(limited to 'libs/yajl')
diff --git a/libs/yajl/Makefile b/libs/yajl/Makefile
index bb496786d..fac9dcc31 100644
--- a/libs/yajl/Makefile
+++ b/libs/yajl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=yajl
PKG_VERSION:=2.1.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/lloyd/yajl
diff --git a/libs/yajl/patches/010-CVE-2023-33460.patch b/libs/yajl/patches/010-CVE-2023-33460.patch
new file mode 100644
index 000000000..4edc1d3a6
--- /dev/null
+++ b/libs/yajl/patches/010-CVE-2023-33460.patch
@@ -0,0 +1,41 @@
+From 31531a6e6b5641398237ce15b7e62da02d975fc6 Mon Sep 17 00:00:00 2001
+From: Like Ma <likemartinma@gmail.com>
+Date: Sat, 2 Dec 2023 19:55:55 +0800
+Subject: [PATCH] Fix for CVE-2023-33460a
+
+Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
+
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *c
+ ctx->stack = stack->next;
+
+ v = stack->value;
+-
++ free (stack->key);
+ free (stack);
+
+ return (v);
+@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *in
+ snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+ YA_FREE(&(handle->alloc), internal_err_str);
+ }
++ while(ctx.stack != NULL) {
++ yajl_val v = context_pop(&ctx);
++ yajl_tree_free(v);
++ }
+ yajl_free (handle);
++ //If the requested memory is not released in time, it will cause memory leakage
++ if(ctx.root)
++ yajl_tree_free(ctx.root);
+ return NULL;
+ }
+
diff --git a/libs/yajl/patches/100-link-reformatter-uclibc-libm.patch b/libs/yajl/patches/100-link-reformatter-uclibc-libm.patch
deleted file mode 100644
index 21aa41f63..000000000
--- a/libs/yajl/patches/100-link-reformatter-uclibc-libm.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/reformatter/CMakeLists.txt
-+++ b/reformatter/CMakeLists.txt
-@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_
-
- ADD_EXECUTABLE(json_reformat ${SRCS})
-
--TARGET_LINK_LIBRARIES(json_reformat yajl_s)
-+TARGET_LINK_LIBRARIES(json_reformat yajl_s m)
-
- # In some environments, we must explicitly link libm (like qnx,
- # thanks @shahbag)
diff --git a/libs/yajl/patches/101-link-perf-uclibc-libm.patch b/libs/yajl/patches/101-link-perf-uclibc-libm.patch
deleted file mode 100644
index 797c4a7da..000000000
--- a/libs/yajl/patches/101-link-perf-uclibc-libm.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/perf/CMakeLists.txt
-+++ b/perf/CMakeLists.txt
-@@ -20,4 +20,4 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_
-
- ADD_EXECUTABLE(perftest ${SRCS})
-
--TARGET_LINK_LIBRARIES(perftest yajl_s)
-+TARGET_LINK_LIBRARIES(perftest yajl_s m)
--
cgit v1.2.3