Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package pyyaml RC bug fix. Resolves CVE-2014-9130. unblock pyyaml/3.11-2
diff -u pyyaml-3.11/debian/changelog pyyaml-3.11/debian/changelog --- pyyaml-3.11/debian/changelog +++ pyyaml-3.11/debian/changelog @@ -1,3 +1,11 @@ +pyyaml (3.11-2) unstable; urgency=medium + + * Backport security fix for Reachable Assertion security issue (potential + remote DoS) - CVE-2014-9130 (Closes: #772815) + - Add debian/patches/CVE-2014-9130-invalid-key-assert.diff + + -- Scott Kitterman <[email protected]> Fri, 12 Dec 2014 08:35:37 -0500 + pyyaml (3.11-1) unstable; urgency=medium [ Jakub Wilk ] diff -u pyyaml-3.11/debian/patches/series pyyaml-3.11/debian/patches/series --- pyyaml-3.11/debian/patches/series +++ pyyaml-3.11/debian/patches/series @@ -1,0 +2 @@ +CVE-2014-9130-invalid-key-assert.diff only in patch2: unchanged: --- pyyaml-3.11.orig/debian/patches/CVE-2014-9130-invalid-key-assert.diff +++ pyyaml-3.11/debian/patches/CVE-2014-9130-invalid-key-assert.diff @@ -0,0 +1,35 @@ +# HG changeset patch +# User Kirill Simonov <[email protected]> +# Date 1417197216 21600 +# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc +# Parent 263dff6f9664ccdc532283ba5c7b282c0e436a7b +Removed invalid simple key assertion. + +diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py +--- a/lib/yaml/scanner.py ++++ b/lib/yaml/scanner.py +@@ -297,10 +297,6 @@ + # Check if a simple key is required at the current position. + required = not self.flow_level and self.indent == self.column + +- # A simple key is required only if it is the first token in the current +- # line. Therefore it is always allowed. +- assert self.allow_simple_key or not required +- + # The next token might be a simple key. Let's save it's number and + # position. + if self.allow_simple_key: +diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py +--- a/lib3/yaml/scanner.py ++++ b/lib3/yaml/scanner.py +@@ -297,10 +297,6 @@ + # Check if a simple key is required at the current position. + required = not self.flow_level and self.indent == self.column + +- # A simple key is required only if it is the first token in the current +- # line. Therefore it is always allowed. +- assert self.allow_simple_key or not required +- + # The next token might be a simple key. Let's save it's number and + # position. + if self.allow_simple_key:
