Your message dated Sat, 29 Nov 2014 03:20:07 +0000
with message-id <[email protected]>
and subject line Bug#771366: fixed in libyaml 0.1.6-3
has caused the Debian Bug report #771366,
regarding libyaml: CVE-2014-9130: Wrapped strings cause assert failure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libyaml
Version: 0.1.4-2
Severity: important
Tags: security upstream patch
Hi,
An assert is triggered by wrapped strings, see [1,2,3]. Proposed commit
in [4] comments out the assertion and let the parser fail.
CVE-2014-9130 was assigned for this reachable assertion in scanner.c.
[1]
https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
[2] http://www.openwall.com/lists/oss-security/2014/11/28/1
[3] https://security-tracker.debian.org/CVE-2014-9130
[4]
https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libyaml
Source-Version: 0.1.6-3
We believe that the bug you reported is fixed in the latest version of
libyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anders Kaseorg <[email protected]> (supplier of updated libyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 28 Nov 2014 22:05:10 -0500
Source: libyaml
Binary: libyaml-0-2 libyaml-0-2-dbg libyaml-dev libyaml-doc
Architecture: source all amd64
Version: 0.1.6-3
Distribution: unstable
Urgency: high
Maintainer: Anders Kaseorg <[email protected]>
Changed-By: Anders Kaseorg <[email protected]>
Description:
libyaml-0-2 - Fast YAML 1.1 parser and emitter library
libyaml-0-2-dbg - Fast YAML 1.1 parser and emitter library (debugging symbols)
libyaml-dev - Fast YAML 1.1 parser and emitter library (development)
libyaml-doc - Fast YAML 1.1 parser and emitter library (documentation)
Closes: 771366
Changes:
libyaml (0.1.6-3) unstable; urgency=high
.
* debian/patches/CVE-2014-9130.patch: Fix CVE-2014-9130 assertion
failure caused by wrapped strings. (Closes: #771366)
* Bump Standards-Version to 3.9.6 (no changes needed).
Checksums-Sha1:
46f23bc24d4a3fc833935414538a5bab217286f5 1893 libyaml_0.1.6-3.dsc
c04a0f82f6482f7e91bc2e09ff38fb25b29742bf 4268 libyaml_0.1.6-3.debian.tar.xz
90caf3c6cb78bbfeb9446d8a322532963dd64b18 90834 libyaml-doc_0.1.6-3_all.deb
1c0e186c203c09cc8b7354425ae38e9161660226 50382 libyaml-0-2_0.1.6-3_amd64.deb
7f33ab580f3c4015ad7db7b326b4dae9fad6685e 98934
libyaml-0-2-dbg_0.1.6-3_amd64.deb
dfcff3fe10f8deaef522b8ebc5b6bcb475cfefa0 59692 libyaml-dev_0.1.6-3_amd64.deb
Checksums-Sha256:
ed5bc299d3bcc0b038206f8780639d4682e65f521dff571b9336e2f8626d0011 1893
libyaml_0.1.6-3.dsc
fd567e6918903833e5c4f1f87254c550eca07c2bba1ccbe6031da33243cf4297 4268
libyaml_0.1.6-3.debian.tar.xz
5cc610a67a53fa5e064f564811780c87715fda16e6a173b190846ecb948a809d 90834
libyaml-doc_0.1.6-3_all.deb
5885db15ac425eb7231c436903525b78381e034bcc53928a97997a745295d222 50382
libyaml-0-2_0.1.6-3_amd64.deb
a9662f4e253e71dc37f93b0c96cfbd1e8cb99e0daa1b7dcce03434c4bcc7f86b 98934
libyaml-0-2-dbg_0.1.6-3_amd64.deb
c4269c9aca9f044fdc73a5bb7da93831c2f182dfca166660b786dc20b3f0b617 59692
libyaml-dev_0.1.6-3_amd64.deb
Files:
ddf45fd8cba21aaba2315608fbabaa49 1893 libs optional libyaml_0.1.6-3.dsc
8f179c664e038e3b2aa93477c92d19a5 4268 libs optional
libyaml_0.1.6-3.debian.tar.xz
e6673f25717061c974c0e6e89829e818 90834 doc optional libyaml-doc_0.1.6-3_all.deb
b7ee87bf4522be5ab39453a40cc2484e 50382 libs optional
libyaml-0-2_0.1.6-3_amd64.deb
5420f57e9ef65250589c1561de24de49 98934 debug extra
libyaml-0-2-dbg_0.1.6-3_amd64.deb
b3a7e4f9a58dd10eb74ecfbbfd10f9c4 59692 libdevel optional
libyaml-dev_0.1.6-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJUeThvAAoJEN/zqzdPFvc6ipAMALU5ZQF3nMwXnDizbLeW1P7n
Rh/v94+ww0kLtCmP0PvIsqgPLCig2b/izshCN0IFc3YaW+xHRv1JXJJiyswzdrbk
dmeQxGS7Pdsa5Q1B7ttdYzdngBx7B8Q/M+5Hb+Ztnl2qCD1Hld/wfhEj0f8Bqux2
+mh/Kt66VOLHrJNxiR5Bgjo8zGccQlB+xkV7wFmm9pkBSph3gttfCaJX5sstXv3C
6dz1/q5ct1pKiE5UADJDU0AXykPaoRTfs3oVAk2lvVUH1F4nS+XWNdR6IvVIcCO3
nwgb4Zbk/BN9aNNCAeqN1bPxOcSbOJwZwf4Ac0eEOzm6Tz40S8SH0Mdr+HtzLVFg
kpdsOQ9mmZS86YwzRRX6gsAVmykwIrC+0zewf2Zse3rg6p26939GL92k3GZZLMQl
lwqDaFX0fy3jNOtzWFnPOB++MaPidhPhwapnwuN/zpzWM/u7V5vMd1DtdUDrc5Xk
9uI9fq41Ryu3/7+ZSjoho9LdXQvkMbeSoU7qIs2ZAA==
=Rvmj
-----END PGP SIGNATURE-----
--- End Message ---
