Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], Debian Perl Group <[email protected]>, gregor herrmann <[email protected]>, [email protected], [email protected] Control: affects -1 + src:libyaml-syck-perl User: [email protected] Usertags: pu
Hi SRM, [ Reason ] libyaml-syck-perl in trixie is affected by CVE-2025-11683 which does not warrant a DSA. [ Impact ] Users remain vulnerable to the address memory corruption from CVE-2025-11683. [ Tests ] Done explicitly with a test case triggering the issue. Additionally run the autopkgtests on reverse dependencies as per https://debusine.debian.net/debian/developers/work-request/207136/ . [ Risks ] It is upstream/cpan-authors patch merged and targeted for the fix. So would say rather low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Salvatore
diff -Nru libyaml-syck-perl-1.34/debian/changelog libyaml-syck-perl-1.34/debian/changelog --- libyaml-syck-perl-1.34/debian/changelog 2022-10-16 05:30:29.000000000 +0200 +++ libyaml-syck-perl-1.34/debian/changelog 2025-10-17 06:18:57.000000000 +0200 @@ -1,3 +1,11 @@ +libyaml-syck-perl (1.34-2+deb13u1) trixie; urgency=medium + + * Team upload. + * Address memory corruption leading to 'str' value being set on empty keys + (CVE-2025-11683) + + -- Salvatore Bonaccorso <[email protected]> Fri, 17 Oct 2025 06:18:57 +0200 + libyaml-syck-perl (1.34-2) unstable; urgency=medium [ Jenkins ] diff -Nru libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch --- libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch 1970-01-01 01:00:00.000000000 +0100 +++ libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch 2025-10-17 06:18:57.000000000 +0200 @@ -0,0 +1,68 @@ +From: Timothy Legge <[email protected]> +Date: Thu, 9 Oct 2025 23:12:45 -0300 +Subject: Address memory corruption leading to 'str' value being set on empty + keys +Origin: https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02 +Bug: https://github.com/cpan-authors/YAML-Syck/pull/65 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683 + +When yaml is parsed, qstr is allocated + +In cases when the keys point to empty values there is no value + +copied to qstr and no null value is copied in +--- + perl_syck.h | 3 --- + token.c | 6 +++++- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/token.c ++++ b/token.c +@@ -1552,6 +1552,7 @@ Plain: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + SyckLevel *plvl; + int parentIndent; + +@@ -1804,6 +1805,7 @@ SingleQuote: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + SingleQuote2: + YYTOKEN = YYCURSOR; +@@ -1962,6 +1964,7 @@ DoubleQuote: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + DoubleQuote2: + YYTOKEN = YYCURSOR; +@@ -2232,6 +2235,7 @@ TransferMethod: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + TransferMethod2: + YYTOKTMP = YYCURSOR; +@@ -2450,6 +2454,7 @@ ScalarBlock: + SyckLevel *lvl = CURRENT_LEVEL(); + int parentIndent = -1; + ++ qstr[0] = '\0'; + switch ( *yyt ) + { + case '|': blockType = BLOCK_LIT; break; +@@ -2472,7 +2477,6 @@ ScalarBlock: + } + } + +- qstr[0] = '\0'; + YYTOKEN = YYCURSOR; + + ScalarBlock2: diff -Nru libyaml-syck-perl-1.34/debian/patches/series libyaml-syck-perl-1.34/debian/patches/series --- libyaml-syck-perl-1.34/debian/patches/series 2022-10-16 05:30:29.000000000 +0200 +++ libyaml-syck-perl-1.34/debian/patches/series 2025-10-17 06:18:57.000000000 +0200 @@ -1 +1,2 @@ disable-compiler-check.patch +Address-memory-corruption-leading-to-str-value-being.patch
