Debian Package Tracker
Register | Log in
Subscribe

ruby-yajl

Ruby interface to Yajl, a JSON stream-based parser library

Choose email to subscribe with

general
  • source: ruby-yajl (main)
  • version: 1.4.1-1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Balasankar C [DMD] – Pirate Praveen [DMD] – Per Andersson [DMD]
  • arch: any
  • std-ver: 4.5.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.2.0-3
  • oldstable: 1.3.1-1
  • stable: 1.4.1-1
  • testing: 1.4.1-1
  • unstable: 1.4.1-1
versioned links
  • 1.2.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-yajl
action needed
A new upstream version is available: 1.4.2 high
A new upstream version 1.4.2 is available, you should consider packaging it.
Created: 2022-04-08 Last update: 2022-05-16 20:39
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2022-24795: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.
Created: 2022-04-09 Last update: 2022-04-21 13:30
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2022-24795: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.
Created: 2022-04-09 Last update: 2022-04-21 13:30
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 1.4.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit 0558bddd350903a627cd79e0eb6e7ec653960c2b
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Thu Sep 9 17:24:54 2021 +0000

    Update standards version to 4.5.1, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

commit 3d752f23786ddaa580d16966bc2b80d8ccf3433b
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Wed Aug 18 09:05:55 2021 +0000

    Remove constraints unnecessary since buster
    
    * Build-Depends: Drop versioned constraint on gem2deb.
    
    Changes-By: deb-scrub-obsolete

commit 355fd91841f5a78df9a441bef57ff8a99b800985
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Fri Nov 6 18:12:37 2020 +0000

    Update watch file format version to 4.
    
    Changes-By: lintian-brush
Created: 2020-12-24 Last update: 2022-05-15 01:06
1 low-priority security issue in buster low

There is 1 open security issue in buster.

1 issue left for the package maintainer to handle:
  • CVE-2022-24795: (needs triaging) yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-04-09 Last update: 2022-04-21 13:30
1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:
  • CVE-2022-24795: (needs triaging) yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-04-09 Last update: 2022-04-21 13:30
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.0).
Created: 2020-11-17 Last update: 2022-05-11 23:25
news
[rss feed]
  • [2020-10-25] ruby-yajl 1.4.1-1 MIGRATED to testing (Debian testing watch)
  • [2020-10-25] ruby-yajl 1.4.1-1 MIGRATED to testing (Debian testing watch)
  • [2020-10-23] Accepted ruby-yajl 1.4.1-1 (source) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
  • [2020-07-19] ruby-yajl 1.3.1-2 MIGRATED to testing (Debian testing watch)
  • [2020-07-16] Accepted ruby-yajl 1.3.1-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-02-08] ruby-yajl 1.3.1-1 MIGRATED to testing (Debian testing watch)
  • [2018-02-02] Accepted ruby-yajl 1.3.1-1 (source amd64) into unstable (Lucas Kanashiro)
  • [2017-11-13] ruby-yajl 1.2.0-3.1 MIGRATED to testing (Debian testing watch)
  • [2017-11-08] Accepted ruby-yajl 1.1.0-2+deb7u1 (source amd64) into oldoldstable (Markus Koschany)
  • [2017-11-08] Accepted ruby-yajl 1.2.0-3.1 (source) into unstable (Salvatore Bonaccorso)
  • [2015-07-14] ruby-yajl 1.2.0-3 MIGRATED to testing (Britney)
  • [2015-07-08] Accepted ruby-yajl 1.2.0-3 (source) into unstable (Christian Hofstaedtler)
  • [2014-04-12] ruby-yajl 1.2.0-2 MIGRATED to testing (Debian testing watch)
  • [2014-04-06] Accepted ruby-yajl 1.2.0-2 (source amd64) (Per Andersson)
  • [2013-12-29] ruby-yajl 1.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2013-12-19] Accepted ruby-yajl 1.2.0-1 (source amd64) (Cédric Boutillier)
  • [2013-04-23] ruby-yajl 1.1.0-2 MIGRATED to testing (Debian testing watch)
  • [2013-04-12] Accepted ruby-yajl 1.1.0-2 (source amd64) (Tollef Fog Heen)
  • [2012-07-06] ruby-yajl 1.1.0-1 MIGRATED to testing (Debian testing watch)
  • [2012-06-25] Accepted ruby-yajl 1.1.0-1 (source amd64) (Per Andersson) (signed by: Vincent Fourmond)
  • [2011-10-08] ruby-yajl 1.0.0-1 MIGRATED to testing (Debian testing watch)
  • [2011-09-27] Accepted ruby-yajl 1.0.0-1 (source amd64) (Praveen Arimbrathodiyil)
  • [2011-09-18] ruby-yajl 0.8.3-2 MIGRATED to testing (Debian testing watch)
  • [2011-09-07] Accepted ruby-yajl 0.8.3-2 (source amd64) (Antonio Terceiro)
  • [2011-09-06] Accepted ruby-yajl 0.8.3-1 (source amd64) (Praveen Arimbrathodiyil)
bugs [bug history graph]
  • all: 2
  • RC: 0
  • I&N: 1
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, clang, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.4.1-1build2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing