Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1118228,
regarding trixie-pu: package libyaml-syck-perl/1.34-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118228
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], Debian Perl Group
<[email protected]>, gregor herrmann
<[email protected]>, [email protected], [email protected]
Control: affects -1 + src:libyaml-syck-perl
User: [email protected]
Usertags: pu
Hi SRM,
[ Reason ]
libyaml-syck-perl in trixie is affected by CVE-2025-11683 which does
not warrant a DSA.
[ Impact ]
Users remain vulnerable to the address memory corruption from
CVE-2025-11683.
[ Tests ]
Done explicitly with a test case triggering the issue. Additionally
run the autopkgtests on reverse dependencies as per
https://debusine.debian.net/debian/developers/work-request/207136/ .
[ Risks ]
It is upstream/cpan-authors patch merged and targeted for the fix. So
would say rather low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Salvatore
diff -Nru libyaml-syck-perl-1.34/debian/changelog
libyaml-syck-perl-1.34/debian/changelog
--- libyaml-syck-perl-1.34/debian/changelog 2022-10-16 05:30:29.000000000
+0200
+++ libyaml-syck-perl-1.34/debian/changelog 2025-10-17 06:18:57.000000000
+0200
@@ -1,3 +1,11 @@
+libyaml-syck-perl (1.34-2+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * Address memory corruption leading to 'str' value being set on empty keys
+ (CVE-2025-11683)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 17 Oct 2025 06:18:57 +0200
+
libyaml-syck-perl (1.34-2) unstable; urgency=medium
[ Jenkins ]
diff -Nru
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
---
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
1970-01-01 01:00:00.000000000 +0100
+++
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
2025-10-17 06:18:57.000000000 +0200
@@ -0,0 +1,68 @@
+From: Timothy Legge <[email protected]>
+Date: Thu, 9 Oct 2025 23:12:45 -0300
+Subject: Address memory corruption leading to 'str' value being set on empty
+ keys
+Origin:
https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02
+Bug: https://github.com/cpan-authors/YAML-Syck/pull/65
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683
+
+When yaml is parsed, qstr is allocated
+
+In cases when the keys point to empty values there is no value
+
+copied to qstr and no null value is copied in
+---
+ perl_syck.h | 3 ---
+ token.c | 6 +++++-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/token.c
++++ b/token.c
+@@ -1552,6 +1552,7 @@ Plain:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+ SyckLevel *plvl;
+ int parentIndent;
+
+@@ -1804,6 +1805,7 @@ SingleQuote:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ SingleQuote2:
+ YYTOKEN = YYCURSOR;
+@@ -1962,6 +1964,7 @@ DoubleQuote:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ DoubleQuote2:
+ YYTOKEN = YYCURSOR;
+@@ -2232,6 +2235,7 @@ TransferMethod:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ TransferMethod2:
+ YYTOKTMP = YYCURSOR;
+@@ -2450,6 +2454,7 @@ ScalarBlock:
+ SyckLevel *lvl = CURRENT_LEVEL();
+ int parentIndent = -1;
+
++ qstr[0] = '\0';
+ switch ( *yyt )
+ {
+ case '|': blockType = BLOCK_LIT; break;
+@@ -2472,7 +2477,6 @@ ScalarBlock:
+ }
+ }
+
+- qstr[0] = '\0';
+ YYTOKEN = YYCURSOR;
+
+ ScalarBlock2:
diff -Nru libyaml-syck-perl-1.34/debian/patches/series
libyaml-syck-perl-1.34/debian/patches/series
--- libyaml-syck-perl-1.34/debian/patches/series 2022-10-16
05:30:29.000000000 +0200
+++ libyaml-syck-perl-1.34/debian/patches/series 2025-10-17
06:18:57.000000000 +0200
@@ -1 +1,2 @@
disable-compiler-check.patch
+Address-memory-corruption-leading-to-str-value-being.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
