From 1d0ca9618d736b2d8e8cbfb170afc1668d757ef8 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Mon, 22 Jun 2026 15:37:18 -0400
Subject: [PATCH 1/2] GHSA/SYNC: 3 new oj advisories

---
 gems/oj/CVE-2026-54500.yml | 51 ++++++++++++++++++++++++++++++++++++++
 gems/oj/CVE-2026-54502.yml | 30 ++++++++++++++++++++++
 gems/oj/CVE-2026-54592.yml | 49 ++++++++++++++++++++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 gems/oj/CVE-2026-54500.yml
 create mode 100644 gems/oj/CVE-2026-54502.yml
 create mode 100644 gems/oj/CVE-2026-54592.yml

diff --git a/gems/oj/CVE-2026-54500.yml b/gems/oj/CVE-2026-54500.yml
new file mode 100644
index 0000000000..d625382e1a
--- /dev/null
+++ b/gems/oj/CVE-2026-54500.yml
@@ -0,0 +1,51 @@
+---
+gem: oj
+cve: 2026-54500
+ghsa: fm7p-mprw-wjm9
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54500
+title: Oj - intern.c form_attr (uninitialized stack read)
+date: 2026-06-19
+description: |
+  ### Summary
+
+  `Oj.load` in `:object` mode reads uninitialized stack memory (and,
+  for long keys, reads out of bounds) when parsing a JSON object whose
+  key is 254 bytes or longer. The interned bytes can surface to the
+  caller, disclosing process stack memory.
+
+  ### Impact
+
+  Information disclosure of process stack memory to a caller that parses
+  untrusted JSON with `Oj.load(..., mode: :object)`. For keys >= 256
+  bytes it is also an out-of-bounds read (CWE-125).
+
+  Severity is bounded by several preconditions: it requires `:object`
+  mode (which is already discouraged for untrusted input), the leaked
+  bytes are uncontrolled (the attacker cannot choose what is disclosed),
+  and the data only reaches an attacker if the application surfaces the
+  resulting Symbol or `EncodingError` back to them. Scored CVSS 5.3
+  (Medium) on that basis.
+
+  ### Patches
+
+  Fixed in **3.17.3**: `form_attr()` now passes `b` to `rb_intern3` (a
+  one-character change mirroring the earlier `usual.c` fix). Verified on
+  the fixed build: the same payload returns cleanly with no leak across
+  repeated runs.
+
+  ### Credit
+
+  Reported by Zac Wang (@7a6163).
+cvss_v3: 5.3
+patched_versions:
+  - ">= 3.17.3"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54500
+    - https://rubygems.org/gems/oj/versions/3.17.3
+    - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
+    - https://github.com/ohler55/oj/pull/1015
+    - https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9
+    - https://github.com/advisories/GHSA-fm7p-mprw-wjm9
+notes: |
+  - CVE is reserved, but published so no cvss_v2 or cvss_v4 values.
diff --git a/gems/oj/CVE-2026-54502.yml b/gems/oj/CVE-2026-54502.yml
new file mode 100644
index 0000000000..84b319fc0e
--- /dev/null
+++ b/gems/oj/CVE-2026-54502.yml
@@ -0,0 +1,30 @@
+---
+gem: oj
+cve: 2026-54502
+ghsa: 3v45-f3vh-wg7m
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54502
+title: Oj - Stack Buffer Overflow in Oj.dump via Large Indent
+date: 2026-06-19
+description: |
+  ### Summary
+
+  `Oj.dump` is vulnerable to a stack-based buffer overflow when a large
+  `:indent` value is provided by the developer. `fill_indent` in `dump.h`
+  calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating
+  the size. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the
+  `(size_t)` cast preserves the large value and `memset` writes 2 GB into
+  the stack-allocated `out` buffer (4,184 bytes), corrupting the stack
+  and crashing the process.
+cvss_v4: 8.7
+patched_versions:
+  - ">= 3.17.3"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54502
+    - https://rubygems.org/gems/oj/versions/3.17.3
+    - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
+    - https://github.com/ohler55/oj/pull/1015
+    - https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m
+    - https://github.com/advisories/GHSA-3v45-f3vh-wg7m
+notes: |
+  - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.
diff --git a/gems/oj/CVE-2026-54592.yml b/gems/oj/CVE-2026-54592.yml
new file mode 100644
index 0000000000..e7de633a6e
--- /dev/null
+++ b/gems/oj/CVE-2026-54592.yml
@@ -0,0 +1,49 @@
+---
+gem: oj
+cve: 2026-54592
+ghsa: 3m6q-jj5j-38c9
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54592
+title: Oj - Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
+date: 2026-06-19
+description: |
+  ### Summary
+
+  `Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON
+  document, overflows a fixed-size stack buffer and aborts the process. This is a
+  denial of service reachable from untrusted JSON.
+
+  ### Impact
+
+  Reliable denial of service: any endpoint that calls
+  `Oj::Doc.open(untrusted) { |d| d.each_child ... }` recursively can be
+  crashed with a small deeply-nested payload. On builds with a stack
+  protector (the default, `-fstack-protector-strong`) the canary aborts
+  the process before the saved return address is used. The Step-1 heap
+  OOB writes into `struct _doc` fields do occur, but are masked in
+  practice because the Step-2 stack overflow crashes first; turning them
+  into anything beyond a crash has not been demonstrated.
+
+  ### Patches
+
+  Fixed in **3.17.3**: `doc_each_child` now bounds-checks before incrementing
+  `doc->where` (raising `Oj::DepthError`) and restores `doc->where` after the
+  loop, matching the existing `each_leaf` pattern. Verified on the fixed build:
+  depth >= 101 raises a clean `Oj::DepthError` instead of aborting.
+
+  ### Credit
+
+  Reported by Zac Wang (@7a6163).
+cvss_v3: 7.5
+patched_versions:
+  - ">= 3.17.3"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54592
+    - https://rubygems.org/gems/oj/versions/3.17.3
+    - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
+    - https://github.com/ohler55/oj/pull/1015
+    - https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9
+    - https://github.com/advisories/GHSA-3m6q-jj5j-38c9
+
+notes: |
+  - CVE is reserved, but published so no cvss_v2 or cvss_v4 values.

From efc7fd7fdc84183e1394a937fdcd69304f0745d8 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Mon, 22 Jun 2026 15:40:26 -0400
Subject: [PATCH 2/2] Removed extra blank line

Removed an extra newline in the CVE-2026-54592.yml file.
---
 gems/oj/CVE-2026-54592.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/gems/oj/CVE-2026-54592.yml b/gems/oj/CVE-2026-54592.yml
index e7de633a6e..1995deb960 100644
--- a/gems/oj/CVE-2026-54592.yml
+++ b/gems/oj/CVE-2026-54592.yml
@@ -44,6 +44,5 @@ related:
     - https://github.com/ohler55/oj/pull/1015
     - https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9
     - https://github.com/advisories/GHSA-3m6q-jj5j-38c9
-
 notes: |
   - CVE is reserved, but published so no cvss_v2 or cvss_v4 values.