Bug#742732: libyaml: diff for NMU version 0.1.4-3.2

[Salvatore Bonaccorso]

tags 742732 + patch
tags 742732 + pending
thanks

Hi Anders!

I've prepared an NMU for libyaml (versioned as 0.1.4-3.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer. Note that upstream has released 0.1.6
including the fix and the previous one.

Regards,
Salvatore

diff -Nru libyaml-0.1.4/debian/changelog libyaml-0.1.4/debian/changelog
--- libyaml-0.1.4/debian/changelog	2014-02-13 07:56:10.000000000 +0100
+++ libyaml-0.1.4/debian/changelog	2014-03-27 06:22:48.000000000 +0100
@@ -1,3 +1,14 @@
+libyaml (0.1.4-3.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2014-2525.patch patch.
+    CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes.
+    The heap overflow is caused by not properly expanding a string before
+    writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+    (Closes: #742732)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 27 Mar 2014 06:22:25 +0100
+
 libyaml (0.1.4-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libyaml-0.1.4/debian/patches/CVE-2014-2525.patch libyaml-0.1.4/debian/patches/CVE-2014-2525.patch
--- libyaml-0.1.4/debian/patches/CVE-2014-2525.patch	1970-01-01 01:00:00.000000000 +0100
+++ libyaml-0.1.4/debian/patches/CVE-2014-2525.patch	2014-03-27 06:22:48.000000000 +0100
@@ -0,0 +1,37 @@
+Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
+  The heap overflow is caused by not properly expanding a string before
+  writing to it in function yaml_parser_scan_uri_escapes in scanner.c. 
+Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2014-03-20
+Applied-Upstream: 0.1.6
+
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -2629,6 +2629,9 @@
+         /* Check if it is a URI-escape sequence. */
+ 
+         if (CHECK(parser->buffer, '%')) {
++            if (!STRING_EXTEND(parser, string))
++                goto error;
++
+             if (!yaml_parser_scan_uri_escapes(parser,
+                         directive, start_mark, &string)) goto error;
+         }
+--- a/src/yaml_private.h
++++ b/src/yaml_private.h
+@@ -133,9 +133,12 @@
+      (string).start = (string).pointer = (string).end = 0)
+ 
+ #define STRING_EXTEND(context,string)                                           \
+-    (((string).pointer+5 < (string).end)                                        \
++    ((((string).pointer+5 < (string).end)                                       \
+         || yaml_string_extend(&(string).start,                                  \
+-            &(string).pointer, &(string).end))
++            &(string).pointer, &(string).end)) ?                                \
++         1 :                                                                    \
++        ((context)->error = YAML_MEMORY_ERROR,                                  \
++         0))
+ 
+ #define CLEAR(context,string)                                                   \
+     ((string).pointer = (string).start,                                         \
diff -Nru libyaml-0.1.4/debian/patches/series libyaml-0.1.4/debian/patches/series
--- libyaml-0.1.4/debian/patches/series	2014-02-13 07:56:10.000000000 +0100
+++ libyaml-0.1.4/debian/patches/series	2014-03-27 06:22:48.000000000 +0100
@@ -1,3 +1,4 @@
 libyaml-string-overflow.patch
 libyaml-node-id-hardening.patch
 libyaml-guard-against-overflows-in-indent-and-flow_level.patch
+CVE-2014-2525.patch

signature.asc
Description: Digital signature