Bug 1198405 - (CVE-2022-24795) VUL-0: CVE-2022-24795: libyajl,rubygem-yajl-ruby: heap-based buffer overflow when handling large inputs due to an integer overflow
(CVE-2022-24795)
VUL-0: CVE-2022-24795: libyajl,rubygem-yajl-ruby: heap-based buffer overflow ...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/328195/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-12 15:35 UTC by Gabriele Sonnu
Modified: 2022-09-07 16:25 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2022-04-12 15:35:23 UTC
yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

References:
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2072912
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24795
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
Comment 1 Gabriele Sonnu 2022-04-12 15:47:39 UTC
Upstream fix:

https://github.com/brianmario/yajl-ruby/commit/36410d536b676e836637bb20574a56ebc920eb83

Tracking as affected:

rubygem-yajl-ruby:

 - SUSE:SLE-12:Update/rubygem-yajl-ruby   1.3.1
 - openSUSE:Factory/rubygem-yajl-ruby     1.4.1

libyajl:

 - SUSE:SLE-11-SP2:Update/libyajl         1.0.11
 - SUSE:SLE-12:Update/libyajl             2.0.1  
 - SUSE:SLE-15:Update/libyajl             2.1.0
 - openSUSE:Factory/libyajl               2.1.0
Comment 4 Swamp Workflow Management 2022-05-19 13:18:39 UTC
SUSE-SU-2022:1746-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198405
CVE References: CVE-2022-24795
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libyajl-2.0.1-18.7.1
SUSE Linux Enterprise Server 12-SP5 (src):    libyajl-2.0.1-18.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-06-02 13:25:03 UTC
SUSE-SU-2022:1918-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198405
CVE References: CVE-2022-24795
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-yajl-ruby-1.3.1-4.6.1
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-yajl-ruby-1.3.1-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 James Fehlig 2022-08-08 21:02:25 UTC
According to the description, only 32-bit builds of libyajl are affected. Do we produce and support 32-bit builds of libyajl?
Comment 7 Jacek Tomasiak 2022-08-09 07:23:38 UTC
@James, this is more complicated than it sounds. The 32bit part is not for 32bit build but for 32bit variable which can wrap even on 64bit builds.

FTR:
The 2.x version uses size_t which adjusts to the build platform but the 1.x (which is bundled in the rubygem) uses plain `unsigned int`.

There are at least three separate upstream projects (forks). 
The "brianmario/yajl-ruby" fork uses 1.x and decided to fix the problem by adding new error handling mechanism (we decided that this is not a good approach for CVE fix).
The "robohack/yajl" for of 2.x picked "doc-fix" approach and required all clients to handle the CVE scenarion in their code.
The (original) "lloyd/yajl" doesn't seem to be maintained (last commit from 2015). There are two open PRs fixing this problem including one from us matching the fix we have in our packages. In the end both call `abort()` in case of detected problem. The same approach was used in Fedora patch linked above.
Comment 8 James Fehlig 2022-08-09 17:11:45 UTC
(In reply to Jacek Tomasiak from comment #7)
> @James, this is more complicated than it sounds. The 32bit part is not for
> 32bit build but for 32bit variable which can wrap even on 64bit builds.
> 
> FTR:
> The 2.x version uses size_t which adjusts to the build platform but the 1.x
> (which is bundled in the rubygem) uses plain `unsigned int`.

So libyajl 2.x versions are fine and we don't need to do anything wrt SLE, right? We are only concerned about 1.x version of libyajl that is bundled with yajl-ruby?

> There are at least three separate upstream projects (forks). 
> The "brianmario/yajl-ruby" fork uses 1.x and decided to fix the problem by
> adding new error handling mechanism (we decided that this is not a good
> approach for CVE fix).
> The "robohack/yajl" for of 2.x picked "doc-fix" approach and required all
> clients to handle the CVE scenarion in their code.
> The (original) "lloyd/yajl" doesn't seem to be maintained (last commit from
> 2015). There are two open PRs fixing this problem including one from us
> matching the fix we have in our packages. In the end both call `abort()` in
> case of detected problem. The same approach was used in Fedora patch linked
> above.

The only "fix" I can find in our packages is

https://build.suse.de/package/show/SUSE:SLE-12:Update/libyajl
https://build.suse.de/package/show/SUSE:SLE-12-SP5:Update/libyajl

which patches a 2.x version of libyajl that uses size_t and not 'unsigned int'. So now I'm more confused than before :-(.

Are your sure libyajl-ruby uses 1.x version of libyajl? If so, where is it maintained? There's an old 1.x version in SLE11 SP2, but the ruby gem surly cant be bundling that old POS

https://build.suse.de/package/show/SUSE:SLE-11-SP2:GA/libyajl
Comment 9 Jacek Tomasiak 2022-08-09 20:36:21 UTC
Scroll up a bit and you will find relevant fixes in comment #3.

As stated in the bug description, the 2.x version is still affected in 32bit mode. We might not ship binary 32bit packages but we ship source packages which could be built in 32bit environment.

The 1.x version is not only "used" by ruby gem but actually "bundled" in the gem sources. Again, check comment #3 for details.
Comment 10 James Fehlig 2022-08-09 21:20:02 UTC
Well, not sure what you need from me. Seem folks working on the bug know a lot more than I do.
Comment 11 Gianluca Gabrielli 2022-08-11 08:53:59 UTC
rubygem-yajl-ruby is maintained by the cloud-team and they already provided all the requested fixes.

libyajl is maintained by you, so we need you to submit the security patches to affected codestreams. The security team helped you providing the list of the affected packages you should submit to and the patch that needs to be applied (comment 1).

The packages you should take care of are the following:

 - SUSE:SLE-11-SP2:Update/libyajl         1.0.11
 - SUSE:SLE-12:Update/libyajl             2.0.1  
 - SUSE:SLE-15:Update/libyajl             2.1.0
 - openSUSE:Factory/libyajl               2.1.0

Jacek (from the cloud team) was so kind to not only take care of the rubygem-yajl-ruby submissions, but he also submitted to one of your packages (SUSE:SLE-12:Update/libyajl).

Can you please submit the patch to the still affected packages?
Comment 12 James Fehlig 2022-08-11 13:35:47 UTC
(In reply to Gianluca Gabrielli from comment #11)
> Can you please submit the patch to the still affected packages?

Yes, sorry for the hassle. But I was brought in late and had zero context. As you can see by the changelog, I haven't touched the package in years. Didn't even know I was the maintainer. More time was wasted bringing me up to speed than someone submitting themselves.

I won't ask any more questions and do as you have instructed. Again, sorry for wasting everyone's time.
Comment 14 James Fehlig 2022-08-11 14:50:10 UTC
(In reply to Gianluca Gabrielli from comment #11)
>  - SUSE:SLE-11-SP2:Update/libyajl         1.0.11

req#277617

>  - SUSE:SLE-15:Update/libyajl             2.1.0

req#277618

>  - openSUSE:Factory/libyajl               2.1.0

I don't have rights in the devel project so could only submit there. One of the project maintainers will have to accept req#994550 and forward to Factory.
Comment 16 Swamp Workflow Management 2022-09-07 16:25:25 UTC
SUSE-SU-2022:3162-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198405
CVE References: CVE-2022-24795
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    libyajl-2.1.0-150000.4.3.1
openSUSE Leap 15.4 (src):    libyajl-2.1.0-150000.4.3.1
openSUSE Leap 15.3 (src):    libyajl-2.1.0-150000.4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    libyajl-2.1.0-150000.4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libyajl-2.1.0-150000.4.3.1
SUSE Linux Enterprise Micro 5.2 (src):    libyajl-2.1.0-150000.4.3.1
SUSE Linux Enterprise Micro 5.1 (src):    libyajl-2.1.0-150000.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.