CVE-2017-16516

Опубликовано: 03 нояб. 2017

Источник: debian

Описание

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
ruby-yajl	fixed	1.2.0-3.1		package
ruby-yajl	no-dsa		stretch	package
ruby-yajl	no-dsa		jessie	package
yajl	fixed	2.1.0-4		package
yajl	fixed	2.1.0-3+deb12u2	bookworm	package
yajl	fixed	2.1.0-3+deb11u2	bullseye	package
burp	fixed	3.1.4-2		package
burp	no-dsa		bookworm	package
burp	no-dsa		bullseye	package
epics-base	not-affected			package
r-cran-jsonlite	fixed	1.8.8+dfsg-1		package
r-cran-jsonlite	no-dsa		bookworm	package
r-cran-jsonlite	no-dsa		bullseye	package
r-cran-jsonlite	no-dsa		buster	package
xqilla	not-affected			package

Примечания

xqilla's embedded yajl is ancient (around 0.2.2), not having the vulnerable code
https://github.com/brianmario/yajl-ruby/issues/176
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
burp fix: https://github.com/grke/burp/commit/5ce44cdf7018767b53a4c5466c62e4dc99d0bc93
epics-base: https://github.com/epics-base/epics-base/issues/405
r-cran-jsonlite: https://github.com/jeroen/jsonlite/issues/431
r-cran-jsonlite: https://github.com/jeroen/jsonlite/commit/ce9520f888c2339b48565fcc5ffecc85091e589e (v1.8.8)