ruby-yajl - Debian Package Tracker

general

source: ruby-yajl (main)
version: 1.4.1-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Balasankar C [DMD] – Pirate Praveen [DMD] – Per Andersson [DMD]
arch: any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.2.0-3
oldstable: 1.3.1-1
stable: 1.4.1-1
testing: 1.4.1-1
unstable: 1.4.1-1

versioned links

1.2.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-yajl

action needed

A new upstream version is available: 1.4.2 high

A new upstream version 1.4.2 is available, you should consider packaging it.

Created: 2022-04-08 Last update: 2022-05-16 20:39

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2022-24795: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

Created: 2022-04-09 Last update: 2022-04-21 13:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-24795: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

Created: 2022-04-09 Last update: 2022-04-21 13:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.4.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 0558bddd350903a627cd79e0eb6e7ec653960c2b
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Thu Sep 9 17:24:54 2021 +0000

    Update standards version to 4.5.1, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

commit 3d752f23786ddaa580d16966bc2b80d8ccf3433b
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Wed Aug 18 09:05:55 2021 +0000

    Remove constraints unnecessary since buster
    
    * Build-Depends: Drop versioned constraint on gem2deb.
    
    Changes-By: deb-scrub-obsolete

commit 355fd91841f5a78df9a441bef57ff8a99b800985
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Fri Nov 6 18:12:37 2020 +0000

    Update watch file format version to 4.
    
    Changes-By: lintian-brush

Created: 2020-12-24 Last update: 2022-05-15 01:06

1 low-priority security issue in buster low

There is 1 open security issue in buster.

1 issue left for the package maintainer to handle:

CVE-2022-24795: (needs triaging) yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-04-09 Last update: 2022-04-21 13:30

1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:

CVE-2022-24795: (needs triaging) yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-04-09 Last update: 2022-04-21 13:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2022-05-11 23:25

news

[rss feed]

[2020-10-25] ruby-yajl 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2020-10-25] ruby-yajl 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2020-10-23] Accepted ruby-yajl 1.4.1-1 (source) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
[2020-07-19] ruby-yajl 1.3.1-2 MIGRATED to testing (Debian testing watch)
[2020-07-16] Accepted ruby-yajl 1.3.1-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-02-08] ruby-yajl 1.3.1-1 MIGRATED to testing (Debian testing watch)
[2018-02-02] Accepted ruby-yajl 1.3.1-1 (source amd64) into unstable (Lucas Kanashiro)
[2017-11-13] ruby-yajl 1.2.0-3.1 MIGRATED to testing (Debian testing watch)
[2017-11-08] Accepted ruby-yajl 1.1.0-2+deb7u1 (source amd64) into oldoldstable (Markus Koschany)
[2017-11-08] Accepted ruby-yajl 1.2.0-3.1 (source) into unstable (Salvatore Bonaccorso)
[2015-07-14] ruby-yajl 1.2.0-3 MIGRATED to testing (Britney)
[2015-07-08] Accepted ruby-yajl 1.2.0-3 (source) into unstable (Christian Hofstaedtler)
[2014-04-12] ruby-yajl 1.2.0-2 MIGRATED to testing (Debian testing watch)
[2014-04-06] Accepted ruby-yajl 1.2.0-2 (source amd64) (Per Andersson)
[2013-12-29] ruby-yajl 1.2.0-1 MIGRATED to testing (Debian testing watch)
[2013-12-19] Accepted ruby-yajl 1.2.0-1 (source amd64) (Cédric Boutillier)
[2013-04-23] ruby-yajl 1.1.0-2 MIGRATED to testing (Debian testing watch)
[2013-04-12] Accepted ruby-yajl 1.1.0-2 (source amd64) (Tollef Fog Heen)
[2012-07-06] ruby-yajl 1.1.0-1 MIGRATED to testing (Debian testing watch)
[2012-06-25] Accepted ruby-yajl 1.1.0-1 (source amd64) (Per Andersson) (signed by: Vincent Fourmond)
[2011-10-08] ruby-yajl 1.0.0-1 MIGRATED to testing (Debian testing watch)
[2011-09-27] Accepted ruby-yajl 1.0.0-1 (source amd64) (Praveen Arimbrathodiyil)
[2011-09-18] ruby-yajl 0.8.3-2 MIGRATED to testing (Debian testing watch)
[2011-09-07] Accepted ruby-yajl 0.8.3-2 (source amd64) (Antonio Terceiro)
[2011-09-06] Accepted ruby-yajl 0.8.3-1 (source amd64) (Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.4.1-1build2