From 2048486461deb12ded6a978cab56f493b9ed27a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 28 Jul 2023 11:28:06 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 libyajl revision 4e0990556511a0e72b17594882a13799 --- .gitattributes | 23 +++++ 2.1.0.tar.gz | 3 + baselibs.conf | 4 + json_reformat.1 | 22 ++++ json_verify.1 | 25 +++++ libyajl-CVE-2022-24795.patch | 36 +++++++ libyajl-CVE-2023-33460.patch | 27 +++++ libyajl-lib_suffix.patch | 13 +++ libyajl-optflags.patch | 13 +++ libyajl-pkgconfig.patch | 10 ++ libyajl-rpmlintrc | 4 + libyajl.changes | 191 +++++++++++++++++++++++++++++++++++ libyajl.spec | 136 +++++++++++++++++++++++++ 13 files changed, 507 insertions(+) create mode 100644 .gitattributes create mode 100644 2.1.0.tar.gz create mode 100644 baselibs.conf create mode 100644 json_reformat.1 create mode 100644 json_verify.1 create mode 100644 libyajl-CVE-2022-24795.patch create mode 100644 libyajl-CVE-2023-33460.patch create mode 100644 libyajl-lib_suffix.patch create mode 100644 libyajl-optflags.patch create mode 100644 libyajl-pkgconfig.patch create mode 100644 libyajl-rpmlintrc create mode 100644 libyajl.changes create mode 100644 libyajl.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/2.1.0.tar.gz b/2.1.0.tar.gz new file mode 100644 index 0000000..87a0904 --- /dev/null +++ b/2.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3fb73364a5a30efe615046d07e6db9d09fd2b41c763c5f7d3bfb121cd5c5ac5a +size 83997 diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..9c187b5 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +libyajl2 +libyajl-devel + requires -libyajl- + requires "libyajl2- = " diff --git a/json_reformat.1 b/json_reformat.1 new file mode 100644 index 0000000..5046435 --- /dev/null +++ b/json_reformat.1 @@ -0,0 +1,22 @@ +.TH json_reformat 1 +.SH NAME +json_reformat \- Reformat json from stdin +.SH SYNOPSIS +.B json_reformat +[ +.I OPTION +] +.SH "DESCRIPTION" +A sample program to demonstrate the use of yajl. json_reformat reformats json from stdin. +.SH OPTIONS +.TP +.B \-m +minimize json rather than beautify (default) +.TP +.B \-u +allow invalid UTF8 inside strings during parsing +.BR +.SH AUTHORS + Lloyd Hilaiel + + diff --git a/json_verify.1 b/json_verify.1 new file mode 100644 index 0000000..10a44eb --- /dev/null +++ b/json_verify.1 @@ -0,0 +1,25 @@ +.TH json_verify 1 +.SH NAME +json_verify \- Validate json from stdin +.SH SYNOPSIS +.B json_verify +[ +.I OPTION +] +.SH "DESCRIPTION" +A sample program to demonstrate the use of yajl. json_verify validates json from stdin. +.SH OPTIONS +.TP +.B \-q +quiet mode +.TP +.B \-c +allow comments +.TP +.B \-u +allow invalid utf8 inside strings +.BR +.SH AUTHORS + Lloyd Hilaiel + + diff --git a/libyajl-CVE-2022-24795.patch b/libyajl-CVE-2022-24795.patch new file mode 100644 index 0000000..3fb9177 --- /dev/null +++ b/libyajl-CVE-2022-24795.patch @@ -0,0 +1,36 @@ +From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001 +From: Jacek Tomasiak +Date: Thu, 12 May 2022 13:02:47 +0200 +Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby) + +The buffer reallocation could cause heap corruption because of `need` +overflow for large inputs. In addition, there's a possible infinite loop +in case `need` reaches zero. + +The fix is to `abort()` if the loop ends with lower value of `need` than +when it started. +--- + src/yajl_buf.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: yajl-2.1.0/src/yajl_buf.c +=================================================================== +--- yajl-2.1.0.orig/src/yajl_buf.c ++++ yajl-2.1.0/src/yajl_buf.c +@@ -45,7 +45,15 @@ void yajl_buf_ensure_available(yajl_buf + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ while (need > 0 && want >= (need - buf->used)) { ++ /* this eventually "overflows" to zero */ ++ need <<= 1; ++ } ++ ++ /* overflow */ ++ if (need < buf->len) { ++ abort(); ++ } + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); diff --git a/libyajl-CVE-2023-33460.patch b/libyajl-CVE-2023-33460.patch new file mode 100644 index 0000000..54fb01e --- /dev/null +++ b/libyajl-CVE-2023-33460.patch @@ -0,0 +1,27 @@ +From c5597ea8483116d4f4cd104b8c3d641e4d4385fa Mon Sep 17 00:00:00 2001 +From: Jim Fehlig +Date: Fri, 7 Jul 2023 15:21:21 -0600 +Subject: [PATCH] Fix for CVE-2023-33460 + +Fix memory leak in yajl_tree_parse function +--- + src/yajl_tree.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: yajl-2.1.0/src/yajl_tree.c +=================================================================== +--- yajl-2.1.0.orig/src/yajl_tree.c ++++ yajl-2.1.0/src/yajl_tree.c +@@ -445,6 +445,12 @@ yajl_val yajl_tree_parse (const char *in + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ /* ++ * If the requested memory is not released in time, it will cause ++ * memory leakage ++ */ ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + diff --git a/libyajl-lib_suffix.patch b/libyajl-lib_suffix.patch new file mode 100644 index 0000000..9468d2f --- /dev/null +++ b/libyajl-lib_suffix.patch @@ -0,0 +1,13 @@ +Index: yajl-2.1.0/src/CMakeLists.txt +=================================================================== +--- yajl-2.1.0.orig/src/CMakeLists.txt ++++ yajl-2.1.0/src/CMakeLists.txt +@@ -28,7 +28,7 @@ SET (PUB_HDRS api/yajl_parse.h api/yajl_ + ADD_DEFINITIONS(-DYAJL_BUILD) + + # set up some paths +-SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib) ++SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/${LIB_SUFFIX}) + SET (incDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/include/yajl) + SET (shareDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/share/pkgconfig) + diff --git a/libyajl-optflags.patch b/libyajl-optflags.patch new file mode 100644 index 0000000..898f87b --- /dev/null +++ b/libyajl-optflags.patch @@ -0,0 +1,13 @@ +Index: yajl-2.1.0/CMakeLists.txt +=================================================================== +--- yajl-2.1.0.orig/CMakeLists.txt ++++ yajl-2.1.0/CMakeLists.txt +@@ -59,7 +59,7 @@ ELSE (WIN32) + "${CMAKE_C_FLAGS} -std=c99 -pedantic -Wpointer-arith -Wno-format-y2k -Wstrict-prototypes -Wmissing-declarations -Wnested-externs -Wextra -Wundef -Wwrite-strings -Wold-style-definition -Wredundant-decls -Wno-unused-parameter -Wno-sign-compare -Wmissing-prototypes") + + SET(CMAKE_C_FLAGS_DEBUG "-DDEBUG -g") +- SET(CMAKE_C_FLAGS_RELEASE "-DNDEBUG -O2 -Wuninitialized") ++ SET(CMAKE_C_FLAGS_RELEASE "$ENV{OPTFLAGS} -Wuninitialized") + ENDIF (WIN32) + + diff --git a/libyajl-pkgconfig.patch b/libyajl-pkgconfig.patch new file mode 100644 index 0000000..3518cb1 --- /dev/null +++ b/libyajl-pkgconfig.patch @@ -0,0 +1,10 @@ +Index: yajl-2.1.0/src/CMakeLists.txt +=================================================================== +--- yajl-2.1.0.orig/src/CMakeLists.txt ++++ yajl-2.1.0/src/CMakeLists.txt +@@ -84,4 +84,4 @@ INSTALL(TARGETS yajl + INSTALL(TARGETS yajl_s ARCHIVE DESTINATION lib${LIB_SUFFIX}) + INSTALL(FILES ${PUB_HDRS} DESTINATION include/yajl) + INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl) +-INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig) ++INSTALL(FILES ${shareDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig) diff --git a/libyajl-rpmlintrc b/libyajl-rpmlintrc new file mode 100644 index 0000000..f978e1d --- /dev/null +++ b/libyajl-rpmlintrc @@ -0,0 +1,4 @@ +addFilter("no-dependency-on libyajl/libyajl-libs/liblibyajl") +addFilter("libyajl-devel-static..*: W: shlib-policy-missing-lib") +addFilter("no-manual-page-for-binary .*") +addFilter("macro-in-comment .*") diff --git a/libyajl.changes b/libyajl.changes new file mode 100644 index 0000000..0bc9381 --- /dev/null +++ b/libyajl.changes @@ -0,0 +1,191 @@ +------------------------------------------------------------------- +Fri Jul 7 21:27:27 UTC 2023 - James Fehlig + +- add libyajl-CVE-2023-33460.patch (CVE-2023-33460, bsc#1212928) + +------------------------------------------------------------------- +Mon May 22 21:27:50 UTC 2023 - Jiri Srain + +- update the upstream source URL + +------------------------------------------------------------------- +Fri May 13 10:24:20 UTC 2022 - Jacek Tomasiak + +- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405) + +------------------------------------------------------------------- +Fri Aug 2 08:00:08 UTC 2019 - Martin Liška + +- Use FAT LTO objects in order to provide proper static library. + +------------------------------------------------------------------- +Mon Mar 25 16:58:41 UTC 2019 - olaf@aepfle.de + +- Install pkgconfig into libdir instead of datadir with libyajl-pkgconfig.patch +- Use autosetup and cmake_build macro +- Rename macro soname to sover + +------------------------------------------------------------------- +Tue Mar 27 11:44:33 CEST 2018 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] +- Move other docu to -devel package where it better fits + +------------------------------------------------------------------- +Sun Apr 26 13:12:49 UTC 2015 - mpluskal@suse.com + +- Use correct url for download +- Add dependency on doxygen for doc generation +- Cleanup spec file with spec-clener + +------------------------------------------------------------------- +Wed Nov 05 12:00:00 UTC 2014 - ku.b@gmx.de + +- update to 2.1.0 +- 2.1.0 + - @nonodename, @patperry - fixed some compiler warnings + - @yep, @emaste - documentation improvements + - @sgravrock - build fix for NetBSD (and whenever sh != bash) + - @rotty, @brimstone3, @lloyd - allow client to reset generator + - @sgravrock - remove bash dependencies + - @lloyd - add api tests + - @rflynn - remove ruby dependency + - @cloderic - nmake install works on windows + - @shahbag - build fix for qnx + - @breese - debugging improvements + - @lloyd - json_verify supports -s flag for stream processing + - @lloyd - json_reformat supports -s flag for stream processing +- 2.0.4 + - @jcekstrom - additional checking in integer parsing + - @jcekstrom - fix a bug in yajl_tree that would cause valid json integersto fail to parse + - @plaguemorin - fix a memory leak in yajl_tree (error strings were being leaked) + - @7AC - reset errno + - @ConradIrwin - include flags to reformatter to allow toggling of escape solidus option +- 2.0.3 + - John Stamp generation of a pkgconfig file at build time. + - @robzuber bugfix in yajl_tree_get() + - @lloyd - fix for compilation on 64 bit windows +- 2.0.2 + - lth fix typos in yajl_tree.h macros YAJL_IS_INTEGER and YAJL_IS_DOUBLE, + contributed by Artem S Vybornov. + - lth add #ifdef __cplusplus wrappers to yajl_tree to allow proper + usage from many populer C++ compilers. +- fix array access + +------------------------------------------------------------------- +Sun Jan 29 21:47:14 UTC 2012 - jengelh@medozas.de + +- Remove redundant tags/sections per specfile guideline suggestions + +------------------------------------------------------------------- +Fri Sep 16 17:21:42 UTC 2011 - jengelh@medozas.de + +- Add libyajl-devel to baselibs + +------------------------------------------------------------------- +Tue Aug 16 16:38:57 UTC 2011 - mrueckert@suse.de + +- bump baselibs.conf + +------------------------------------------------------------------- +Fri Aug 12 11:09:08 UTC 2011 - mrueckert@suse.de + +- update to 2.0.1 + - lth generator flag to allow client to specify they want escaped + solidi '/'. issue #28 + - lth crash fix when yajl_parse() is never called. issue #27 +- additional changes from 2.0.0 + - lth YAJL is now ISC licensed: + http://en.wikipedia.org/wiki/ISC_license + - lth 20-35% (osx and linux respectively) parsing performance + improvement attained by tweaking string scanning (idea: + @michaelrhanson). + - Florian Forster & lth - yajl_tree interface introduced as a + higher level interface to the parser (eats JSON, poops a memory + representation) + - lth require a C99 compiler + - lth integers are now represented with long long (64bit+) on all + platforms. + - lth size_t now used throughout to represent buffer lengths, so + you can safely manage buffers greater than 4GB. + - gno semantic improvements to yajl's API regarding partial value + parsing and trailing garbage + - lth new configuration mechanism for yajl, see yajl_config() and + yajl_gen_config() + - gno more allocation checking in more places + - gno remove usage of strtol, replace with custom implementation + that cares not about your locale. + - lth yajl_parse_complete renamed to yajl_complete_parse. + - lth add a switch to validate utf8 strings as they are + generated. + - lth tests are a lot quieter in their output. + - lth addition of a little in tree performance benchmark, + `perftest` in perf/perftest.c +- additional changes from 1.0.12 + - Conrad Irwin - Parse null bytes correctly + - Mirek Rusin - fix LLVM warnings + - gno - Don't generate numbers for keys. closes #13 + - lth - various win32 fixes, including build documentation + improvements + - John Stamp - Don't export private symbols. + - John Stamp - Install yajl_version.h, not the template. + - John Stamp - Don't use -fPIC for static lib. Cmake will + automatically add it for the shared. + - lth 0 fix paths embedded in dylib upon installation on osx. + closes #11 +- refreshed optflags patch + +------------------------------------------------------------------- +Wed Jun 1 22:33:07 MDT 2011 - jfehlig@novell.com + +- Add man pages for json_{reformat,verify} + +------------------------------------------------------------------- +Wed Apr 13 10:43:49 MDT 2011 - jfehlig@novell.com + +- Add filters to rpmlintrc +- spec file: Document githash usage in tarbal name + +------------------------------------------------------------------- +Wed Apr 13 10:43:49 MDT 2011 - jfehlig@novell.com + +- Add filters to rpmlintrc +- spec file: Document githash usage in tarbal name + +------------------------------------------------------------------- +Fri Apr 8 20:43:36 UTC 2011 - coolo@novell.com + +- add baselibs.conf for 32bit library support + +------------------------------------------------------------------- +Wed Feb 9 19:03:53 UTC 2011 - pascal.bleser@opensuse.org + +- revert last change, it is BSD3c indeed, and totally unrelated to + bnc#670525 + +------------------------------------------------------------------- +Wed Feb 9 18:57:38 UTC 2011 - pascal.bleser@opensuse.org + +- fix license, changed from erroneous BSD3c to MIT, as stated on + http://pyyaml.org/wiki/LibYAML, sort of fixes bnc#670525 + +------------------------------------------------------------------- +Tue Dec 21 23:02:41 UTC 2010 - pascal.bleser@opensuse.org + +- merge yajl package from darix: + * lib -> LIBDIR patch + * -devel-static subpackage + +------------------------------------------------------------------- +Wed Dec 1 21:38:19 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.0.11: no user-visible changes + +- changes from 1.0.10: + * yajl version number now programatically accessible + +------------------------------------------------------------------- +Mon Jul 12 19:11:08 UTC 2010 - pascal.bleser@opensuse.org + +- initial package (1.0.9) + diff --git a/libyajl.spec b/libyajl.spec new file mode 100644 index 0000000..d831d13 --- /dev/null +++ b/libyajl.spec @@ -0,0 +1,136 @@ +# +# spec file for package libyajl +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define sover 2 +Name: libyajl +Version: 2.1.0 +Release: 0 +Summary: Yet Another JSON Library +License: ISC +Group: System/Libraries +URL: http://lloyd.github.com/yajl/ +Source0: https://github.com/lloyd/yajl/archive/refs/tags/%{version}.tar.gz +Source1: baselibs.conf +Source2: json_reformat.1 +Source3: json_verify.1 +Source99: %{name}-rpmlintrc +Patch1: libyajl-optflags.patch +Patch2: libyajl-lib_suffix.patch +Patch3: libyajl-pkgconfig.patch +Patch4: libyajl-CVE-2022-24795.patch +Patch5: libyajl-CVE-2023-33460.patch +BuildRequires: bison +BuildRequires: cmake +BuildRequires: doxygen +BuildRequires: flex +BuildRequires: gcc-c++ +BuildRequires: pkg-config +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +YAJL is a small event-driven (SAX-style) JSON parser written in ANSI C, and a +small validating JSON generator. + +%package -n %{name}%{sover} +Summary: Yet Another JSON Library +Group: System/Libraries + +%description -n %{name}%{sover} +YAJL is a small event-driven (SAX-style) JSON parser written in ANSI C, and a +small validating JSON generator. + +%package -n %{name}-devel +Summary: Yet Another JSON Library (Development Environment) +Group: Development/Libraries/C and C++ +Requires: %{name}%{sover} = %{version} + +%description -n %{name}-devel +YAJL is a small event-driven (SAX-style) JSON parser written in ANSI C, and a +small validating JSON generator. + +This package provides the necessary environment for compiling and linking +against %{name}. + +%package -n %{name}-devel-static +Summary: Yet Another JSON Library (Static Library) +Group: Development/Libraries/C and C++ +Requires: %{name}-devel = %{version} + +%description -n %{name}-devel-static +YAJL is a small event-driven (SAX-style) JSON parser written in ANSI C, and a +small validating JSON generator. + +This package provides the necessary environment for linking statically +against %{name}. + +%package -n yajl +Summary: Yet Another JSON Library Tools +Group: Productivity/Text/Utilities +Requires: %{name}%{sover} = %{version} + +%description -n yajl +YAJL is a small event-driven (SAX-style) JSON parser written in ANSI C, and a +small validating JSON generator. + +This package provides a few command-line utilities for processing JSON files. + +%prep +%autosetup -p1 -n yajl-%{version} + +%build +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects +%cmake +%cmake_build + +%install +%cmake_install +install -d -m 0755 %{buildroot}%{_mandir}/man1 +install -m644 %{SOURCE2} %{SOURCE3} %{buildroot}/%{_mandir}/man1 + +%check +make %{?_smp_mflags} test + +%post -n %{name}%{sover} -p /sbin/ldconfig + +%postun -n %{name}%{sover} -p /sbin/ldconfig + +%files -n %{name}%{sover} +%defattr(-,root,root) +%license COPYING +%{_libdir}/libyajl.so.%{sover} +%{_libdir}/libyajl.so.%{sover}.* + +%files -n %{name}-devel +%defattr(-,root,root) +%doc README TODO +%{_includedir}/yajl +%{_libdir}/libyajl.so +%{_libdir}/pkgconfig/yajl.pc + +%files -n %{name}-devel-static +%defattr(-,root,root) +%{_libdir}/libyajl_s.a + +%files -n yajl +%defattr(-,root,root) +%{_mandir}/man1/json_reformat.1* +%{_mandir}/man1/json_verify.1* +%{_bindir}/json_reformat +%{_bindir}/json_verify + +%changelog