1212928 – (CVE-2023-33460) VUL-0: CVE-2023-33460: libyajl: There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Bug 1212928 (CVE-2023-33460) - VUL-0: CVE-2023-33460: libyajl: There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Summary: VUL-0: CVE-2023-33460: libyajl: There's a memory leak in yajl 2.1.0 with use ...

Status:	RESOLVED FIXED

Alias:	CVE-2023-33460

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/368525/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-33460:6.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-03 05:58 UTC by Stoyan Manolov
Modified:	2023-08-14 11:51 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Patch fixing the bug (844 bytes, patch) 2023-07-07 21:47 UTC, James Fehlig	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stoyan Manolov 2023-07-03 05:58:37 UTC

CVE-2023-33460

There is a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33460
https://www.cve.org/CVERecord?id=CVE-2023-33460
http://www.cvedetails.com/cve/CVE-2023-33460/
https://github.com/lloyd/yajl/issues/250
https://lists.debian.org/debian-lts-announce/2023/07/msg00000.html

Comment 2 James Fehlig 2023-07-07 21:47:25 UTC

Created attachment 868100 [details]
Patch fixing the bug

Inspired by the patch in the debian package.

Comment 3 James Fehlig 2023-07-07 21:51:17 UTC

I've submitted updated packages containing the above patch to the OBS devel project (sr#1097635) and SLE-15:Update (mr#302858). Does that ALP project also need a submission?

Comment 6 James Fehlig 2023-07-13 16:17:52 UTC

SR#303134 sent for ALP. I think that's all for me. Passing to the security team...

Comment 8 Maintenance Automation 2023-08-14 08:30:43 UTC

SUSE-SU-2023:3301-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1212928
CVE References: CVE-2023-33460
Sources used:
openSUSE Leap Micro 5.3 (src): libyajl-2.1.0-150000.4.6.1
openSUSE Leap Micro 5.4 (src): libyajl-2.1.0-150000.4.6.1
openSUSE Leap 15.4 (src): libyajl-2.1.0-150000.4.6.1
openSUSE Leap 15.5 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro 5.3 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro 5.4 (src): libyajl-2.1.0-150000.4.6.1
Basesystem Module 15-SP4 (src): libyajl-2.1.0-150000.4.6.1
Basesystem Module 15-SP5 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Real Time 15 SP3 (src): libyajl-2.1.0-150000.4.6.1
SUSE Manager Proxy 4.2 (src): libyajl-2.1.0-150000.4.6.1
SUSE Manager Retail Branch Server 4.2 (src): libyajl-2.1.0-150000.4.6.1
SUSE Manager Server 4.2 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro 5.1 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro 5.2 (src): libyajl-2.1.0-150000.4.6.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): libyajl-2.1.0-150000.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.