Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1118230,
regarding bookworm-pu: package libyaml-syck-perl/1.34-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118230
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], Debian Perl Group
<[email protected]>, gregor herrmann
<[email protected]>, [email protected], [email protected]
Control: affects -1 + src:libyaml-syck-perl
User: [email protected]
Usertags: pu
Hi SRM,
[ Reason ]
libyaml-syck-perl in bookworm is affected by CVE-2025-11683 which does
not warrant a DSA.
[ Impact ]
Users remain vulnerable to the address memory corruption from
CVE-2025-11683.
[ Tests ]
Done explicitly with a test case triggering the issue. Additionally
run the autopkgtests on reverse dependencies as per
https://debusine.debian.net/debian/developers/work-request/207206/ .
[ Risks ]
It is upstream/cpan-authors patch merged and targeted for the fix. So
would say rather low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Salvatore
diff -Nru libyaml-syck-perl-1.34/debian/changelog
libyaml-syck-perl-1.34/debian/changelog
--- libyaml-syck-perl-1.34/debian/changelog 2022-10-16 05:30:29.000000000
+0200
+++ libyaml-syck-perl-1.34/debian/changelog 2025-10-17 06:52:50.000000000
+0200
@@ -1,3 +1,11 @@
+libyaml-syck-perl (1.34-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * Address memory corruption leading to 'str' value being set on empty keys
+ (CVE-2025-11683)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 17 Oct 2025 06:52:50 +0200
+
libyaml-syck-perl (1.34-2) unstable; urgency=medium
[ Jenkins ]
diff -Nru
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
---
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
1970-01-01 01:00:00.000000000 +0100
+++
libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
2025-10-17 06:52:50.000000000 +0200
@@ -0,0 +1,68 @@
+From: Timothy Legge <[email protected]>
+Date: Thu, 9 Oct 2025 23:12:45 -0300
+Subject: Address memory corruption leading to 'str' value being set on empty
+ keys
+Origin:
https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02
+Bug: https://github.com/cpan-authors/YAML-Syck/pull/65
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683
+
+When yaml is parsed, qstr is allocated
+
+In cases when the keys point to empty values there is no value
+
+copied to qstr and no null value is copied in
+---
+ perl_syck.h | 3 ---
+ token.c | 6 +++++-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/token.c
++++ b/token.c
+@@ -1552,6 +1552,7 @@ Plain:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+ SyckLevel *plvl;
+ int parentIndent;
+
+@@ -1804,6 +1805,7 @@ SingleQuote:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ SingleQuote2:
+ YYTOKEN = YYCURSOR;
+@@ -1962,6 +1964,7 @@ DoubleQuote:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ DoubleQuote2:
+ YYTOKEN = YYCURSOR;
+@@ -2232,6 +2235,7 @@ TransferMethod:
+ int qidx = 0;
+ int qcapa = 100;
+ char *qstr = S_ALLOC_N( char, qcapa );
++ qstr[0] = '\0';
+
+ TransferMethod2:
+ YYTOKTMP = YYCURSOR;
+@@ -2450,6 +2454,7 @@ ScalarBlock:
+ SyckLevel *lvl = CURRENT_LEVEL();
+ int parentIndent = -1;
+
++ qstr[0] = '\0';
+ switch ( *yyt )
+ {
+ case '|': blockType = BLOCK_LIT; break;
+@@ -2472,7 +2477,6 @@ ScalarBlock:
+ }
+ }
+
+- qstr[0] = '\0';
+ YYTOKEN = YYCURSOR;
+
+ ScalarBlock2:
diff -Nru libyaml-syck-perl-1.34/debian/patches/series
libyaml-syck-perl-1.34/debian/patches/series
--- libyaml-syck-perl-1.34/debian/patches/series 2022-10-16
05:30:29.000000000 +0200
+++ libyaml-syck-perl-1.34/debian/patches/series 2025-10-17
06:52:50.000000000 +0200
@@ -1 +1,2 @@
disable-compiler-check.patch
+Address-memory-corruption-leading-to-str-value-being.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
