Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team, Please unblock package libyaml-libyaml-perl It addresses #771365. Wrapped strings trigger an assertion. Upstream for libyaml itself removed the assertion an let the parser fail correctly. libyaml-libyaml-perl is affected from the same issue as it embedds libyaml. CVE-2014-9130 was assigned for this issue, as applications using libyaml can be crashed ith untrusted yaml input. http://www.openwall.com/lists/oss-security/2014/11/28/1 http://security-tracker.debian.org/tracker/CVE-2014-9130 The changelog for the 0.41-6 upload is: +libyaml-libyaml-perl (0.41-6) unstable; urgency=high + + * Team upload. + * Add CVE-2014-9130.patch patch. + Fix CVE-2014-9130: assertion failure caused by wrapped strings. + (Closes: 771365) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Nov 2014 08:23:09 +0100 Attached is also the full used debdiff. unblock libyaml-libyaml-perl/0.41-6 Thanks a lot for considering, Regards, Salvatore
diff -Nru libyaml-libyaml-perl-0.41/debian/changelog libyaml-libyaml-perl-0.41/debian/changelog --- libyaml-libyaml-perl-0.41/debian/changelog 2014-03-26 20:03:55.000000000 +0100 +++ libyaml-libyaml-perl-0.41/debian/changelog 2014-11-29 08:33:49.000000000 +0100 @@ -1,3 +1,12 @@ +libyaml-libyaml-perl (0.41-6) unstable; urgency=high + + * Team upload. + * Add CVE-2014-9130.patch patch. + Fix CVE-2014-9130: assertion failure caused by wrapped strings. + (Closes: 771365) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Nov 2014 08:23:09 +0100 + libyaml-libyaml-perl (0.41-5) unstable; urgency=high * Team upload. diff -Nru libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch --- libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch 1970-01-01 01:00:00.000000000 +0100 +++ libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch 2014-11-29 08:33:49.000000000 +0100 @@ -0,0 +1,26 @@ +Description: Remove invalid simple key assertion + CVE-2014-9130: denial-of-service/application crash with untrusted + yaml input +Origin: upstream, https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2 +Bug: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure +Bug-Debian: https://bugs.debian.org/771365 +Forwarded: no +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-11-29 + +--- a/LibYAML/scanner.c ++++ b/LibYAML/scanner.c +@@ -1106,13 +1106,6 @@ yaml_parser_save_simple_key(yaml_parser_ + && parser->indent == (ptrdiff_t)parser->mark.column); + + /* +- * A simple key is required only when it is the first token in the current +- * line. Therefore it is always allowed. But we add a check anyway. +- */ +- +- assert(parser->simple_key_allowed || !required); /* Impossible. */ +- +- /* + * If the current position may start a simple key, save it. + */ + diff -Nru libyaml-libyaml-perl-0.41/debian/patches/series libyaml-libyaml-perl-0.41/debian/patches/series --- libyaml-libyaml-perl-0.41/debian/patches/series 2014-03-26 20:03:55.000000000 +0100 +++ libyaml-libyaml-perl-0.41/debian/patches/series 2014-11-29 08:33:49.000000000 +0100 @@ -4,3 +4,4 @@ libyaml-node-id-hardening.patch libyaml-guard-against-overflows-in-indent-and-flow_level.patch CVE-2014-2525.patch +CVE-2014-9130.patch