--- Begin Message ---
Source: libyaml
Version: 0.1.4-3
Severity: important
Tags: patch squeeze wheezy
Control: found -1 0.1.3-1+deb6u2
Hi
The patch libyaml-indent-column-overflow-v2.patch applied for the
update to address CVE-2013-6393 introduces a regression which can be
seen when parsing a small YAML sample file with the tests/run-parser.c
utility:
----cut---------cut---------cut---------cut---------cut---------cut-----
%YAML 1.1
--- # Indented Block
name: John Smith
age: 33
--- # Inline Block
{name: John Smith, age: 33}
----cut---------cut---------cut---------cut---------cut---------cut-----
Compiling run-parser.c in the source and run against this YAML file
leads with the patch applied to:
# ./run-parser ./regression.yaml
[1] Parsing './regression.yaml': FAILURE (9 events)
Upstream indeed has addressed this part slightly different, with [1]
and [2].
[1]
https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
[2]
https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
Attached are prepared debdiffs for squeeze and wheezy. For unstable
either the same can be applied or better directly update to 0.1.5
which contains the commits.
Regards,
Salvatore
diff -u libyaml-0.1.3/debian/changelog libyaml-0.1.3/debian/changelog
--- libyaml-0.1.3/debian/changelog
+++ libyaml-0.1.3/debian/changelog
@@ -1,3 +1,11 @@
+libyaml (0.1.3-1+deb6u3) squeeze-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply correct patch from upstream to quard against overflows in
+ indent and flow_level
+
+ -- Salvatore Bonaccorso <[email protected]> Mon, 10 Feb 2014 21:32:14 +0100
+
libyaml (0.1.3-1+deb6u2) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -u libyaml-0.1.3/src/scanner.c libyaml-0.1.3/src/scanner.c
--- libyaml-0.1.3/src/scanner.c
+++ libyaml-0.1.3/src/scanner.c
@@ -615,14 +615,11 @@
*/
static int
-yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
- int number, yaml_token_type_t type, yaml_mark_t mark);
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
-
-static int
-yaml_parser_reset_indent(yaml_parser_t *parser);
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
/*
* Token fetchers.
@@ -1106,7 +1103,7 @@
*/
int required = (!parser->flow_level
- && parser->indent == (int)parser->mark.column);
+ && parser->indent == (ptrdiff_t)parser->mark.column);
/*
* A simple key is required only when it is the first token in the current
@@ -1179,6 +1176,11 @@
/* Increase the flow level. */
+ if (parser->flow_level == INT_MAX) {
+ parser->error = YAML_MEMORY_ERROR;
+ return 0;
+ }
+
parser->flow_level++;
return 1;
@@ -1209,8 +1211,8 @@
*/
static int
-yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
- int number, yaml_token_type_t type, yaml_mark_t mark)
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
{
yaml_token_t token;
@@ -1219,7 +1221,7 @@
if (parser->flow_level)
return 1;
- if (parser->indent == -1 || parser->indent < column)
+ if (parser->indent < column)
{
/*
* Push the current indentation level to the stack and set the new
@@ -1229,6 +1231,11 @@
if (!PUSH(parser, parser->indents, parser->indent))
return 0;
+ if (column > INT_MAX) {
+ parser->error = YAML_MEMORY_ERROR;
+ return 0;
+ }
+
parser->indent = column;
/* Create a token and insert it into the queue. */
@@ -1257,7 +1264,7 @@
static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
{
yaml_token_t token;
@@ -1266,15 +1273,6 @@
if (parser->flow_level)
return 1;
- /*
- * column is unsigned and parser->indent is signed, so if
- * parser->indent is less than zero the conditional in the while
- * loop below is incorrect. Guard against that.
- */
-
- if (parser->indent < 0)
- return 1;
-
/* Loop through the intendation levels in the stack. */
while (parser->indent > column)
@@ -1295,41 +1293,6 @@
}
/*
- * Pop indentation levels from the indents stack until the current
- * level resets to -1. For each intendation level, append the
- * BLOCK-END token.
- */
-
-static int
-yaml_parser_reset_indent(yaml_parser_t *parser)
-{
- yaml_token_t token;
-
- /* In the flow context, do nothing. */
-
- if (parser->flow_level)
- return 1;
-
- /* Loop through the intendation levels in the stack. */
-
- while (parser->indent > -1)
- {
- /* Create a token and append it to the queue. */
-
- TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
-
- if (!ENQUEUE(parser, parser->tokens, token))
- return 0;
-
- /* Pop the indentation level. */
-
- parser->indent = POP(parser, parser->indents);
- }
-
- return 1;
-}
-
-/*
* Initialize the scanner and produce the STREAM-START token.
*/
@@ -1385,7 +1348,7 @@
/* Reset the indentation level. */
- if (!yaml_parser_reset_indent(parser))
+ if (!yaml_parser_unroll_indent(parser, -1))
return 0;
/* Reset simple keys. */
@@ -1416,7 +1379,7 @@
/* Reset the indentation level. */
- if (!yaml_parser_reset_indent(parser))
+ if (!yaml_parser_unroll_indent(parser, -1))
return 0;
/* Reset simple keys. */
@@ -1454,7 +1417,7 @@
/* Reset the indentation level. */
- if (!yaml_parser_reset_indent(parser))
+ if (!yaml_parser_unroll_indent(parser, -1))
return 0;
/* Reset simple keys. */
only in patch2:
unchanged:
--- libyaml-0.1.3.orig/src/yaml_private.h
+++ libyaml-0.1.3/src/yaml_private.h
@@ -7,6 +7,7 @@
#include <assert.h>
#include <limits.h>
+#include <stddef.h>
/*
* Memory management.
diff -Nru libyaml-0.1.4/debian/changelog libyaml-0.1.4/debian/changelog
--- libyaml-0.1.4/debian/changelog 2014-01-30 10:21:45.000000000 +0100
+++ libyaml-0.1.4/debian/changelog 2014-02-10 20:18:48.000000000 +0100
@@ -1,3 +1,14 @@
+libyaml (0.1.4-2+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Drop libyaml-indent-column-overflow-v2.patch patch.
+ This patch causes additional regression on simple YAML files.
+ * Add libyaml-guard-against-overflows-in-indent-and-flow_level.patch patch.
+ Add upstream's patch to guard against overflows in indent and
+ flow_level.
+
+ -- Salvatore Bonaccorso <[email protected]> Mon, 10 Feb 2014 20:13:44 +0100
+
libyaml (0.1.4-2+deb7u2) stable-security; urgency=high
* Improved fix for CVE-2013-6393: heap-based buffer overflow when
diff -Nru libyaml-0.1.4/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch libyaml-0.1.4/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch
--- libyaml-0.1.4/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch 1970-01-01 01:00:00.000000000 +0100
+++ libyaml-0.1.4/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch 2014-02-10 20:18:48.000000000 +0100
@@ -0,0 +1,86 @@
+Description: Guard against overflows in indent and flow_level
+Origin: upstream, https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2,
+ https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
+Last-Update: 2014-02-10
+Applied-Upstream: 0.1.5
+
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -615,11 +615,11 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+
+ /*
+ * Token fetchers.
+@@ -1103,7 +1103,7 @@
+ */
+
+ int required = (!parser->flow_level
+- && parser->indent == (int)parser->mark.column);
++ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+ * A simple key is required only when it is the first token in the current
+@@ -1176,6 +1176,11 @@
+
+ /* Increase the flow level. */
+
++ if (parser->flow_level == INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->flow_level++;
+
+ return 1;
+@@ -1206,8 +1211,8 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+
+@@ -1226,6 +1231,11 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
++ if (column > INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->indent = column;
+
+ /* Create a token and insert it into the queue. */
+@@ -1254,7 +1264,7 @@
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+ yaml_token_t token;
+
+--- a/src/yaml_private.h
++++ b/src/yaml_private.h
+@@ -7,6 +7,7 @@
+
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+
+ /*
+ * Memory management.
diff -Nru libyaml-0.1.4/debian/patches/libyaml-indent-column-overflow-v2.patch libyaml-0.1.4/debian/patches/libyaml-indent-column-overflow-v2.patch
--- libyaml-0.1.4/debian/patches/libyaml-indent-column-overflow-v2.patch 2014-01-30 10:15:00.000000000 +0100
+++ libyaml-0.1.4/debian/patches/libyaml-indent-column-overflow-v2.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,176 +0,0 @@
-Description: CVE-2013-6393: yaml_parser-{un,}roll-indent: fix int overflow in column argument
- This expands upon the original indent column overflow patch from
- comment #12.
- .
- The default parser indention is represented as an indention of -1.
- The original patch only modified the type of the column parameter to
- the roll/unroll functions, changing it from int to size_t to guard
- against integer overflow. However, there are code paths that call
- yaml_parser_unroll_indent with a column of -1 in order to reset the
- parser back to the initial indention. Since the column is now of
- type size_t and thus unsigned, passing a column value of -1 caused
- the column to underflow in this case.
- .
- This new patch modifies the roll/unroll functions to handle the -1
- indent as a special case. In addition, it adds a new function,
- yaml_parser_reset_indent. It is nearly an exact copy of
- yaml_parser_unroll_indent, except it does not take a column
- parameter. Instead it unrolls to a literal -1 indention, which does
- not suffer from the underflow.
- .
- Code paths that previously called yaml_parser_unroll_indent with a
- column of -1 are updated to call the new yaml_parser_reset_indent
- function instead.
- .
- With this patch instead of the original:
- .
- - `make check` still passes
- .
- - The reproducer script completes successfully with exit code 0
- .
- - The issue raised by John Haxby has been corrected and exits with SUCCESS
-Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
-Last-Update: 2014-01-29
----
-# HG changeset patch
-# User John Eckersberg <[email protected]>
-# Date 1390870108 18000
-# Mon Jan 27 19:48:28 2014 -0500
-# Node ID 7179aa474f31e73834adda26b77bfc25bfe5143d
-# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
-yaml_parser-{un,}roll-indent: fix int overflow in column argument
-
-diff -r 3e6507fa0c26 -r 7179aa474f31 src/scanner.c
---- a/src/scanner.c Mon Dec 24 03:51:32 2012 +0000
-+++ b/src/scanner.c Mon Jan 27 19:48:28 2014 -0500
-@@ -615,11 +615,14 @@
- */
-
- static int
--yaml_parser_roll_indent(yaml_parser_t *parser, int column,
-+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
- int number, yaml_token_type_t type, yaml_mark_t mark);
-
- static int
--yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
-+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
-+
-+static int
-+yaml_parser_reset_indent(yaml_parser_t *parser);
-
- /*
- * Token fetchers.
-@@ -1206,7 +1209,7 @@
- */
-
- static int
--yaml_parser_roll_indent(yaml_parser_t *parser, int column,
-+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
- int number, yaml_token_type_t type, yaml_mark_t mark)
- {
- yaml_token_t token;
-@@ -1216,7 +1219,7 @@
- if (parser->flow_level)
- return 1;
-
-- if (parser->indent < column)
-+ if (parser->indent == -1 || parser->indent < column)
- {
- /*
- * Push the current indentation level to the stack and set the new
-@@ -1254,7 +1257,7 @@
-
-
- static int
--yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
-+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
- {
- yaml_token_t token;
-
-@@ -1263,6 +1266,15 @@
- if (parser->flow_level)
- return 1;
-
-+ /*
-+ * column is unsigned and parser->indent is signed, so if
-+ * parser->indent is less than zero the conditional in the while
-+ * loop below is incorrect. Guard against that.
-+ */
-+
-+ if (parser->indent < 0)
-+ return 1;
-+
- /* Loop through the intendation levels in the stack. */
-
- while (parser->indent > column)
-@@ -1283,6 +1295,41 @@
- }
-
- /*
-+ * Pop indentation levels from the indents stack until the current
-+ * level resets to -1. For each intendation level, append the
-+ * BLOCK-END token.
-+ */
-+
-+static int
-+yaml_parser_reset_indent(yaml_parser_t *parser)
-+{
-+ yaml_token_t token;
-+
-+ /* In the flow context, do nothing. */
-+
-+ if (parser->flow_level)
-+ return 1;
-+
-+ /* Loop through the intendation levels in the stack. */
-+
-+ while (parser->indent > -1)
-+ {
-+ /* Create a token and append it to the queue. */
-+
-+ TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
-+
-+ if (!ENQUEUE(parser, parser->tokens, token))
-+ return 0;
-+
-+ /* Pop the indentation level. */
-+
-+ parser->indent = POP(parser, parser->indents);
-+ }
-+
-+ return 1;
-+}
-+
-+/*
- * Initialize the scanner and produce the STREAM-START token.
- */
-
-@@ -1338,7 +1385,7 @@
-
- /* Reset the indentation level. */
-
-- if (!yaml_parser_unroll_indent(parser, -1))
-+ if (!yaml_parser_reset_indent(parser))
- return 0;
-
- /* Reset simple keys. */
-@@ -1369,7 +1416,7 @@
-
- /* Reset the indentation level. */
-
-- if (!yaml_parser_unroll_indent(parser, -1))
-+ if (!yaml_parser_reset_indent(parser))
- return 0;
-
- /* Reset simple keys. */
-@@ -1407,7 +1454,7 @@
-
- /* Reset the indentation level. */
-
-- if (!yaml_parser_unroll_indent(parser, -1))
-+ if (!yaml_parser_reset_indent(parser))
- return 0;
-
- /* Reset simple keys. */
diff -Nru libyaml-0.1.4/debian/patches/series libyaml-0.1.4/debian/patches/series
--- libyaml-0.1.4/debian/patches/series 2014-01-30 10:15:00.000000000 +0100
+++ libyaml-0.1.4/debian/patches/series 2014-02-10 20:18:48.000000000 +0100
@@ -1,3 +1,3 @@
libyaml-string-overflow.patch
libyaml-node-id-hardening.patch
-libyaml-indent-column-overflow-v2.patch
+libyaml-guard-against-overflows-in-indent-and-flow_level.patch
--- End Message ---
