{ "threat_severity" : "Moderate", "public_date" : "2022-04-05T00:00:00Z", "bugzilla" : { "description" : "yajl: heap-based buffer overflow when handling large inputs due to an integer overflow", "id" : "2072912", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2072912" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-190->CWE-119", "details" : [ "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.", "A flaw was found in the YAJL library in the way it reallocates a memory buffer to store more data. A very large input causes the value used to calculate the buffer size to overflow, resulting in a heap-based buffer overflow." ], "statement" : "Red Hat Enterprise Linux only ships YAJL 2.x versions and on 32-bit systems, more than 2GiB of data will be required for triggering this bug. However, on 64-bit systems, more than 9EiB of data will be needed, making this vulnerability very hard to be exploited on these systems.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-11-08T00:00:00Z", "advisory" : "RHSA-2022:7524", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "yajl-0:2.1.0-11.el8" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2024-04-25T00:00:00Z", "advisory" : "RHSA-2024:2063", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "yajl-0:2.1.0-13.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8252", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "yajl-0:2.1.0-21.el9" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "yajl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "yajl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "libreoffice:flatpak/yajl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "libreoffice:flatpak/yajl", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "rubygem-yajl-ruby", "cpe" : "cpe:/a:redhat:openshift:3.11" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-24795\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24795" ], "name" : "CVE-2022-24795", "mitigation" : { "value" : "Avoid passing large inputs to the YAJL library.", "lang" : "en:us" }, "csaw" : false }