main/yajl: fix CVE-2023-33460

backport fix for memory leaks
2025-08-05 13:27:09 +02:00 · 2024-06-12 13:12:37 +02:00 · 2024-06-12 13:12:37 +02:00 · f2c866423f
commit f2c866423f
parent 9ed6dc222b
2 changed files with 66 additions and 2 deletions
--- a/main/yajl/APKBUILD
+++ b/main/yajl/APKBUILD
@ -1,14 +1,20 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=yajl
 pkgver=2.1.0
-pkgrel=8
+pkgrel=9
 pkgdesc="Yet Another JSON Library (YAJL)"
 url="https://lloyd.github.io/yajl/"
 arch="all"
 license="MIT"
 makedepends="cmake samurai"
 subpackages="$pkgname-static $pkgname-dev $pkgname-tools"
-source="$pkgname-$pkgver-2.tar.gz::https://github.com/lloyd/yajl/archive/refs/tags/$pkgver.tar.gz"
+source="$pkgname-$pkgver-2.tar.gz::https://github.com/lloyd/yajl/archive/refs/tags/$pkgver.tar.gz
+	CVE-2023-33460.patch
+	"
+
+# secfixes:
+#   2.1.0-r9:
+#     - CVE-2023-33460

 build() {
 	cmake -B build -G Ninja \
@ -39,4 +45,5 @@ tools() {

 sha512sums="
 9e786d080803df80ec03a9c2f447501e6e8e433a6baf636824bc1d50ecf4f5f80d7dfb1d47958aeb0a30fe459bd0ef033d41bc6a79e1dc6e6b5eade930b19b02  yajl-2.1.0-2.tar.gz
+3dcd1e162073bb926a620f5ac74e5fccd605fcd114f79df175fc24de19d3c03b854dc576977c259183181966551c94f99ac925bc43a7526e366bd765d64ceadf  CVE-2023-33460.patch
 "
--- a/main/yajl/CVE-2023-33460.patch
+++ b/main/yajl/CVE-2023-33460.patch
@ -0,0 +1,57 @@
+From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
+From: "zhang.jiujiu" <282627424@qq.com>
+Date: Tue, 7 Dec 2021 22:37:02 +0800
+Subject: [PATCH] fix memory leaks
+
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index b9e66043..0e7bde98 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input,
+              yajl_tree_free(v);
+         }
+         yajl_free (handle);
+	//If the requested memory is not released in time, it will cause memory leakage
+	if(ctx.root)
+	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
+From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001
+From: wujing <wujing50@huawei.com>
+Date: Thu, 14 Feb 2019 03:12:30 +0800
+Subject: [PATCH] yajl: fix memory leak problem
+
+reason: fix memory leak problem
+---
+ src/yajl_tree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a32..4b3cf2b1 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
+    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input,
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
+        while(ctx.stack != NULL) {
+             yajl_val v = context_pop(&ctx);
+             yajl_tree_free(v);
+        }
+         yajl_free (handle);
+         return NULL;
+     }