Your message dated Sun, 14 Dec 2014 21:17:15 +0000
with message-id <[email protected]>
and subject line Bug#771366: fixed in libyaml 0.1.4-2+deb7u5
has caused the Debian Bug report #771366,
regarding libyaml: CVE-2014-9130: Wrapped strings cause assert failure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libyaml
Version: 0.1.4-2
Severity: important
Tags: security upstream patch
Hi,
An assert is triggered by wrapped strings, see [1,2,3]. Proposed commit
in [4] comments out the assertion and let the parser fail.
CVE-2014-9130 was assigned for this reachable assertion in scanner.c.
[1]
https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
[2] http://www.openwall.com/lists/oss-security/2014/11/28/1
[3] https://security-tracker.debian.org/CVE-2014-9130
[4]
https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libyaml
Source-Version: 0.1.4-2+deb7u5
We believe that the bug you reported is fixed in the latest version of
libyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Dec 2014 14:44:17 +0100
Source: libyaml
Binary: libyaml-0-2 libyaml-0-2-dbg libyaml-dev
Architecture: source amd64
Version: 0.1.4-2+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Anders Kaseorg <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libyaml-0-2 - Fast YAML 1.1 parser and emitter library
libyaml-0-2-dbg - Fast YAML 1.1 parser and emitter library (debugging symbols)
libyaml-dev - Fast YAML 1.1 parser and emitter library (development)
Closes: 771366
Changes:
libyaml (0.1.4-2+deb7u5) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-9130.patch.
CVE-2014-9130: assert failure when processing wrapped strings.
(Closes: #771366)
Checksums-Sha1:
649a51047c8b75afb3cc9ef152e662e30705c71e 1944 libyaml_0.1.4-2+deb7u5.dsc
2604dfb61991a18799aca6af48c98db77d67511f 5887
libyaml_0.1.4-2+deb7u5.debian.tar.gz
99b597387ee9f06b1bb663be77c8fc918819c25c 58258
libyaml-0-2_0.1.4-2+deb7u5_amd64.deb
876a092217935480a3d8908e522293fead63892b 106656
libyaml-0-2-dbg_0.1.4-2+deb7u5_amd64.deb
e03cb04a9cb9f072281753aa22ead08eadde61ad 72224
libyaml-dev_0.1.4-2+deb7u5_amd64.deb
Checksums-Sha256:
69c7f37c3d0285cd6883bbf5a4f800a03200782c3c7f4722ecc6e7bfa36070dc 1944
libyaml_0.1.4-2+deb7u5.dsc
d636668b8f9f6444bd32dc7bb7b6a1b90fefe3696b692ff89711dfb081eeeb30 5887
libyaml_0.1.4-2+deb7u5.debian.tar.gz
30424a353ced011a4515cb8970446bdcdf8b0a0b855329e02ce98d0bdf880ca5 58258
libyaml-0-2_0.1.4-2+deb7u5_amd64.deb
22790fc8109b56c0cc36dc4e1e737bd60a989c220a3ba4f095b3303106a26cb4 106656
libyaml-0-2-dbg_0.1.4-2+deb7u5_amd64.deb
f66ed5a64b07cf1f46dd5cf60028fc74a40da84c653da2d3738c223c9e3be465 72224
libyaml-dev_0.1.4-2+deb7u5_amd64.deb
Files:
be7ee19572a8036b935787af1bd624e0 1944 libs optional libyaml_0.1.4-2+deb7u5.dsc
40a9d5526ff7d7a06c0ec962a71d6330 5887 libs optional
libyaml_0.1.4-2+deb7u5.debian.tar.gz
6fb9079523afa3fb376b4b2214c9c826 58258 libs optional
libyaml-0-2_0.1.4-2+deb7u5_amd64.deb
02e78863204f3af3203dd9c5d750595f 106656 debug extra
libyaml-0-2-dbg_0.1.4-2+deb7u5_amd64.deb
7628bdee20f43ce255c333209fb7c249 72224 libdevel optional
libyaml-dev_0.1.4-2+deb7u5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUjETgAAoJEAVMuPMTQ89EzYIP/3mbAICf9iE1+NSQYo7wjRNz
4Ye3si/6UInYSEh1wJffAsjsCUr1yewwXZmQOI87kef9HIO6JjYjvlk4Ub42hCSP
DV8wL+uS/npPebOGj8pqa4Ocm9P/m6AbEthr6n4q4rR+KAK/rUar6QMqC5n4q1Tw
af+G2zXxsyTUnTr/FpVVM2neYUawrU/99mWhtHoqg5POZuelKXDKfC54+6WoeOKG
Pb+elGmbyzAs89tlO32202ce8ghWAs6APPmX/En7OWq4qjpIZT8ZU/pcbfauIb8U
+xiT2LJcaFDx00RsajRRiA/GHUsfbyZttpdzAnaTPgYZH7QPhCTfcPpCiWVPLHJi
rKh7a5z7uDfa+uMGzijfJX9SNK4H7ixMdf6K+Ex/65TzIl65SrBv+/+EnNyzlDZ6
3QSv4T9rwF9Vm5tAFikdJ2hjK2Tz77R8rqZzSNYahzvAUbDgK8N9Cl2VWWIWQImc
CmK28hlCbg9RQSheszb6+woJvpo0vtdaPHWVw2vBTa7sEUksNmeEhPsVekxZjABA
hdp87ZEhkryNDeOlAV5iqxdm4IOyz+CST1DoF3c8RyW76jARqhLkBUxieHfgkVTu
Egm8Uw6KEqd+ircsAm5Y2xOnFyq6y5J7AwGuLOIw19m0rDYhjoP6MUgYsWZ7aqBj
ms8Nbw/2uke8rhc5sh/c
=iS7f
-----END PGP SIGNATURE-----
--- End Message ---
