libraries/yajl: Added patches from fedora, changed maintainer.

Signed-off-by: Matteo Bernardini <ponce@slackbuilds.org> Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
author: Matteo Bernardini <ponce@slackbuilds.org> 2023-08-06 17:06:13 +0200
committer: Willy Sudiarto Raharjo <willysr@slackbuilds.org> 2023-08-12 08:30:00 +0700
commit: 0c7388609d64c77c5493314612b1df42b573cf60 (patch)
tree: c70199250a1005f033c467ec7df4104f9026a587 /libraries
parent: 7846ec4d6567e2c44450c4bdeaed78ba4a736f53 (diff)
10 files changed, 348 insertions, 5 deletions
diff --git a/libraries/yajl/patches/0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch b/libraries/yajl/patches/0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch
new file mode 100644
index 0000000000000..5ac6d63e49441
--- /dev/null
+++ b/libraries/yajl/patches/0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch
@@ -0,0 +1,44 @@
+From a319e9c853d787a9033e14436a5a80381e954a26 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:42:30 +0100
+Subject: [PATCH 1/8] pkg-config file should be in lib dir, not shared data dir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/CMakeLists.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index 99cf9e9..789ddf9 100644
+--- a/src/CMakeLists.txt
++++ b/src/CMakeLists.txt
+@@ -30,7 +30,7 @@ ADD_DEFINITIONS(-DYAJL_BUILD)
+ # set up some paths
+ SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+ SET (incDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/include/yajl)
+-SET (shareDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/share/pkgconfig)
++SET (pkgconfigDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib${LIB_SUFFIX}/pkgconfig)
+ 
+ # set the output path for libraries
+ SET(LIBRARY_OUTPUT_PATH ${libDir})
+@@ -61,7 +61,7 @@ FILE(MAKE_DIRECTORY ${incDir})
+ # generate build-time source
+ SET(dollar $)
+ CONFIGURE_FILE(api/yajl_version.h.cmake ${incDir}/yajl_version.h)
+-CONFIGURE_FILE(yajl.pc.cmake ${shareDir}/yajl.pc)
++CONFIGURE_FILE(yajl.pc.cmake ${pkgconfigDir}/yajl.pc)
+ 
+ # copy public headers to output directory
+ FOREACH (header ${PUB_HDRS})
+@@ -84,4 +84,4 @@ INSTALL(TARGETS yajl
+ INSTALL(TARGETS yajl_s ARCHIVE DESTINATION lib${LIB_SUFFIX})
+ INSTALL(FILES ${PUB_HDRS} DESTINATION include/yajl)
+ INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl)
+-INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig)
++INSTALL(FILES ${pkgconfigDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig)
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch b/libraries/yajl/patches/0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
new file mode 100644
index 0000000000000..b6175b38d4439
--- /dev/null
+++ b/libraries/yajl/patches/0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
@@ -0,0 +1,30 @@
+From 0eaa8db35c9e580f27ba0c90d11b173cb1d96687 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:43:25 +0100
+Subject: [PATCH 2/8] pkg-config include dir should not have the 'yajl' suffix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Apps use '#include <yajl/yajl.h>' for includes historically.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/yajl.pc.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/yajl.pc.cmake b/src/yajl.pc.cmake
+index 6eaca14..485ded9 100644
+--- a/src/yajl.pc.cmake
++++ b/src/yajl.pc.cmake
+@@ -1,6 +1,6 @@
+ prefix=${CMAKE_INSTALL_PREFIX}
+ libdir=${dollar}{prefix}/lib${LIB_SUFFIX}
+-includedir=${dollar}{prefix}/include/yajl
++includedir=${dollar}{prefix}/include
+ 
+ Name: Yet Another JSON Library
+ Description: A Portable JSON parsing and serialization library in ANSI C
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0003-fix-patch-to-test-files-to-take-account-of-vpath.patch b/libraries/yajl/patches/0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
new file mode 100644
index 0000000000000..8f1d5ab119614
--- /dev/null
+++ b/libraries/yajl/patches/0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
@@ -0,0 +1,49 @@
+From 39b9c104275a5eac498f5d2a92b462d10381a9eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:44:26 +0100
+Subject: [PATCH 3/8] fix patch to test files to take account of vpath
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ test/api/run_tests.sh     | 2 +-
+ test/parsing/run_tests.sh | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/test/api/run_tests.sh b/test/api/run_tests.sh
+index 6655152..88e43fb 100755
+--- a/test/api/run_tests.sh
++++ b/test/api/run_tests.sh
+@@ -5,7 +5,7 @@ echo Running api tests:
+ tests=0
+ passed=0
+ 
+-for file in `ls`; do
++for file in `ls ../../build/test/api`; do
+     [ ! -x $file -o -d $file ] && continue
+     tests=`expr 1 + $tests`
+     printf " test(%s): " $file
+diff --git a/test/parsing/run_tests.sh b/test/parsing/run_tests.sh
+index b37e4dd..ceb2e7a 100755
+--- a/test/parsing/run_tests.sh
++++ b/test/parsing/run_tests.sh
+@@ -16,11 +16,11 @@ fi
+ # find test binary on both platforms.  allow the caller to force a
+ # particular test binary (useful for non-cmake build systems).
+ if [ -z "$testBin" ]; then
+-    testBin="../build/test/parsing/Release/yajl_test.exe"
++    testBin="../../build/test/parsing/Release/yajl_test.exe"
+     if [ ! -x $testBin ] ; then
+-        testBin="../build/test/parsing/Debug/yajl_test.exe"
++        testBin="../../build/test/parsing/Debug/yajl_test.exe"
+         if [ ! -x $testBin ] ; then
+-            testBin="../build/test/parsing/yajl_test"
++            testBin="../../build/test/parsing/yajl_test"
+             if [  ! -x $testBin ] ; then
+                 ${ECHO} "cannot execute test binary: '$testBin'"
+                 exit 1;
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch b/libraries/yajl/patches/0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
new file mode 100644
index 0000000000000..1c97cc8ee9f17
--- /dev/null
+++ b/libraries/yajl/patches/0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
@@ -0,0 +1,43 @@
+From c98c00d6957601b95f3982f3d9460868469a299e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:45:36 +0100
+Subject: [PATCH 4/8] drop bogus '_s' suffix from yajl dynamic library
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ reformatter/CMakeLists.txt | 2 +-
+ verify/CMakeLists.txt      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/reformatter/CMakeLists.txt b/reformatter/CMakeLists.txt
+index 52a9bee..4b7b3fa 100644
+--- a/reformatter/CMakeLists.txt
++++ b/reformatter/CMakeLists.txt
+@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+ 
+ ADD_EXECUTABLE(json_reformat ${SRCS})
+ 
+-TARGET_LINK_LIBRARIES(json_reformat yajl_s)
++TARGET_LINK_LIBRARIES(json_reformat yajl)
+ 
+ # In some environments, we must explicitly link libm (like qnx,
+ # thanks @shahbag)
+diff --git a/verify/CMakeLists.txt b/verify/CMakeLists.txt
+index 967fca1..2bceb26 100644
+--- a/verify/CMakeLists.txt
++++ b/verify/CMakeLists.txt
+@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+ 
+ ADD_EXECUTABLE(json_verify ${SRCS})
+ 
+-TARGET_LINK_LIBRARIES(json_verify yajl_s)
++TARGET_LINK_LIBRARIES(json_verify yajl)
+ 
+ # copy in the binary
+ GET_TARGET_PROPERTY(binPath json_verify LOCATION)
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0005-Fix-for-CVE-2017-16516.patch b/libraries/yajl/patches/0005-Fix-for-CVE-2017-16516.patch
new file mode 100644
index 0000000000000..7d48816341445
--- /dev/null
+++ b/libraries/yajl/patches/0005-Fix-for-CVE-2017-16516.patch
@@ -0,0 +1,43 @@
+From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:36:10 +0100
+Subject: [PATCH 5/8] Fix for CVE-2017-16516
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+
+Patch taken from Debian package source
+
+NB, Fedora code can't trigger the reported aborts since it passes the
+-DNDEBUG flag, but pulling the fix for robustness in case a future
+change enables the assert()s.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/yajl_encode.c b/src/yajl_encode.c
+index fd08258..0d97cc5 100644
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
++                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0006-Fix-CVE-2022-24795.patch b/libraries/yajl/patches/0006-Fix-CVE-2022-24795.patch
new file mode 100644
index 0000000000000..704e884a70e72
--- /dev/null
+++ b/libraries/yajl/patches/0006-Fix-CVE-2022-24795.patch
@@ -0,0 +1,60 @@
+From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH 6/8] Fix CVE-2022-24795
+
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+
+This patch catches the integer overflow and terminates the process
+with abort().
+
+https://github.com/lloyd/yajl/issues/239
+https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
+(cherry picked from commit 23cea2d7677e396efed78bbf1bf153961fab6bad
+ in https://github.com/ppisar/yajl)
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..55c11ad 100644
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0007-yajl-fix-memory-leak-problem.patch b/libraries/yajl/patches/0007-yajl-fix-memory-leak-problem.patch
new file mode 100644
index 0000000000000..0a6be95ab63f2
--- /dev/null
+++ b/libraries/yajl/patches/0007-yajl-fix-memory-leak-problem.patch
@@ -0,0 +1,41 @@
+From c4304a2c04a1b392eb1464a9da892a9e0dff7683 Mon Sep 17 00:00:00 2001
+From: wujing <wujing50@huawei.com>
+Date: Thu, 14 Feb 2019 03:12:30 +0800
+Subject: [PATCH 7/8] yajl: fix memory leak problem
+
+reason: fix memory leak problem
+(cherry picked from commit 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf
+ in https://github.com/openEuler-BaseService)
+
+Fixes: https://github.com/lloyd/yajl/issues/250  (CVE-2023-33460)
+---
+ src/yajl_tree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a3..4b3cf2b 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
++    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input,
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+              YA_FREE(&(handle->alloc), internal_err_str);
+         }
++        while(ctx.stack != NULL) {
++             yajl_val v = context_pop(&ctx);
++             yajl_tree_free(v);
++        }
+         yajl_free (handle);
+         return NULL;
+     }
+-- 
+2.41.0
+
diff --git a/libraries/yajl/patches/0008-fix-memory-leaks.patch b/libraries/yajl/patches/0008-fix-memory-leaks.patch
new file mode 100644
index 0000000000000..cc8e5f7a0116b
--- /dev/null
+++ b/libraries/yajl/patches/0008-fix-memory-leaks.patch
@@ -0,0 +1,30 @@
+From 9cb871049261eeda844b8943d15580763a0ac3d3 Mon Sep 17 00:00:00 2001
+From: "zhang.jiujiu" <282627424@qq.com>
+Date: Tue, 7 Dec 2021 22:37:02 +0800
+Subject: [PATCH 8/8] fix memory leaks
+
+(cherry picked from commit 23a122eddaa28165a6c219000adcc31ff9a8a698
+ in https://github.com/openEuler-BaseService)
+
+Fixes: https://github.com/lloyd/yajl/issues/250  (CVE-2023-33460)
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 4b3cf2b..56c7012 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -449,6 +449,9 @@ yajl_val yajl_tree_parse (const char *input,
+              yajl_tree_free(v);
+         }
+         yajl_free (handle);
++	//If the requested memory is not released in time, it will cause memory leakage
++	if(ctx.root)
++	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
+-- 
+2.41.0
+
diff --git a/libraries/yajl/yajl.SlackBuild b/libraries/yajl/yajl.SlackBuild
index b58cac47efb6f..0c2408c1abc50 100644
--- a/libraries/yajl/yajl.SlackBuild
+++ b/libraries/yajl/yajl.SlackBuild
@@ -5,8 +5,9 @@
 # Written by Eugene Wissner <belka.ew@gmail.com>
 # Updated by Marcin Herda <mherda@slackword.net>
 # Updated by Johannes Schoepfer
+# Modified by Ricardo J. Barberis
 #
-# Copyright (c) 2019, Modified by: Ricardo J. Barberis <ricardo.barberis@gmail.com>
+# Copyright (c) 2023 Matteo Bernardini <ponce@slackbuilds.org>, Pisa, Italy
 #
 # Redistribution and use of this script, with or without modification, is
 # permitted provided that the following conditions are met:
@@ -29,7 +30,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PRGNAM=yajl
 VERSION=${VERSION:-2.1.0}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
 TAG=${TAG:-_SBo}
 PKGTYPE=${PKGTYPE:-tgz}
 
@@ -82,6 +83,8 @@ find -L . \
  \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
   -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
 
+for i in $CWD/patches/* ; do patch -p1 < $i ; done
+
 mkdir build
 cd build
   cmake .. \
diff --git a/libraries/yajl/yajl.info b/libraries/yajl/yajl.info
index 47b69fc172b6d..c2a7bc65861c9 100644
--- a/libraries/yajl/yajl.info
+++ b/libraries/yajl/yajl.info
@@ -1,10 +1,10 @@
 PRGNAM="yajl"
 VERSION="2.1.0"
 HOMEPAGE="http://lloyd.github.com/yajl/"
-DOWNLOAD="http://slackware.uk/sbosrcarch/by-md5/8/d/8df8a92a2799bc949577e8e7a9f43670/lloyd-yajl-2.1.0-0-ga0ecdde.tar.gz"
+DOWNLOAD="https://ponce.cc/slackware/sources/repo/lloyd-yajl-2.1.0-0-ga0ecdde.tar.gz"
 MD5SUM="8df8a92a2799bc949577e8e7a9f43670"
 DOWNLOAD_x86_64=""
 MD5SUM_x86_64=""
 REQUIRES=""
-MAINTAINER="Ricardo J. Barberis"
-EMAIL="ricardo.barberis@gmail.com"
+MAINTAINER="Matteo Bernardini"
+EMAIL="ponce@slackbuilds.org"
author	Matteo Bernardini <ponce@slackbuilds.org>	2023-08-06 17:06:13 +0200
committer	Willy Sudiarto Raharjo <willysr@slackbuilds.org>	2023-08-12 08:30:00 +0700
commit	0c7388609d64c77c5493314612b1df42b573cf60 (patch)
tree	c70199250a1005f033c467ec7df4104f9026a587 /libraries
parent	7846ec4d6567e2c44450c4bdeaed78ba4a736f53 (diff)