CVE-2017-16516

NameCVE-2017-16516
DescriptionIn the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1167-1, DLA-3492-1, DLA-3516-1, ELA-892-1
Debian Bugs880691, 1040036, 1040146, 1040161

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
argyll (PTS)jessie1.6.3-4vulnerable
burp (PTS)jessie1.3.48-4.1fixed
stretch2.0.54-1vulnerable
buster (security), buster, buster (lts)2.1.32-2+deb10u1fixed
bullseye2.2.18-8vulnerable
bookworm3.1.4-1vulnerable
sid, trixie3.1.4-3.1fixed
collada2gltf (PTS)stretch20140924-4vulnerable
epics-base (PTS)bookworm7.0.3.1-4fixed
sid, trixie7.0.8.1+dfsg1-6fixed
r-cran-jsonlite (PTS)stretch1.2-1vulnerable
buster1.6+dfsg-1vulnerable
bullseye1.7.2+dfsg-1vulnerable
bookworm1.8.4+dfsg-1vulnerable
sid, trixie1.8.9+dfsg-1fixed
ruby-yajl (PTS)jessie1.2.0-2vulnerable
stretch1.2.0-3vulnerable
buster1.3.1-1fixed
bullseye1.4.1-1fixed
sid, trixie, bookworm1.4.3-1fixed
whitedb (PTS)jessie0.7.2-1vulnerable
stretch0.7.3-2vulnerable
xqilla (PTS)jessie2.3.0-2vulnerable
stretch2.3.3-2vulnerable
buster, bullseye2.3.4-1fixed
yajl (PTS)jessie, jessie (lts)2.1.0-2+deb8u2fixed
stretch (lts), stretch2.1.0-2+deb9u2fixed
buster (security), buster, buster (lts)2.1.0-3+deb10u2fixed
bullseye2.1.0-3+deb11u2fixed
bookworm2.1.0-3+deb12u2fixed
sid, trixie2.1.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
argyllsourcejessie(unfixed)end-of-life
burpsourcejessie(not affected)
burpsourcebuster2.1.32-2+deb10u1DLA-3516-1
burpsource(unstable)3.1.4-21040146
collada2gltfsourcestretch(unfixed)end-of-life
epics-basesource(unstable)(not affected)
r-cran-jsonlitesource(unstable)1.8.8+dfsg-11040161
ruby-yajlsourcewheezy1.1.0-2+deb7u1DLA-1167-1
ruby-yajlsource(unstable)1.2.0-3.1low880691
whitedbsourcejessie(unfixed)end-of-life
whitedbsourcestretch(unfixed)end-of-life
xqillasourcejessie(unfixed)end-of-life
xqillasourcestretch(unfixed)end-of-life
xqillasource(unstable)(not affected)
yajlsourcejessie2.1.0-2+deb8u2ELA-892-1
yajlsourcestretch2.1.0-2+deb9u2ELA-892-1
yajlsourcebuster2.1.0-3+deb10u2DLA-3492-1
yajlsourcebullseye2.1.0-3+deb11u2
yajlsourcebookworm2.1.0-3+deb12u2
yajlsource(unstable)2.1.0-41040036

Notes

[stretch] - ruby-yajl <no-dsa> (Minor issue)
[jessie] - ruby-yajl <no-dsa> (Minor issue)
[bookworm] - burp <no-dsa> (Minor issue)
[bullseye] - burp <no-dsa> (Minor issue)
- epics-base <not-affected> (Forked parser not affected, #1040159)
[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
[buster] - r-cran-jsonlite <no-dsa> (Minor issue)
- xqilla <not-affected> (Vulnerable code not present; embeds not-affected ancient yajl version)
xqilla's embedded yajl is ancient (around 0.2.2), not having the vulnerable code
https://github.com/brianmario/yajl-ruby/issues/176
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
burp fix: https://github.com/grke/burp/commit/5ce44cdf7018767b53a4c5466c62e4dc99d0bc93
epics-base: https://github.com/epics-base/epics-base/issues/405
r-cran-jsonlite: https://github.com/jeroen/jsonlite/issues/431
r-cran-jsonlite: https://github.com/jeroen/jsonlite/commit/ce9520f888c2339b48565fcc5ffecc85091e589e (v1.8.8)
[stretch] - burp <postponed> (Minor issue, DoS / clean crash)
[jessie] - burp <not-affected> (yajl not embedded before stretch)
[stretch] - r-cran-jsonlite <no-dsa> (Minor issue)
[jessie] - r-cran-jsonlite <no-dsa> (Minor issue)
Search for package or bug name: Reporting problems