Hello community, here is the log from the commit of package yaml-cpp for openSUSE:Factory checked in at 2018-02-15 13:27:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yaml-cpp (Old) and /work/SRC/openSUSE:Factory/.yaml-cpp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yaml-cpp" Thu Feb 15 13:27:29 2018 rev:13 rq:576821 version:0.6.1 Changes: -------- --- /work/SRC/openSUSE:Factory/yaml-cpp/yaml-cpp.changes 2018-02-06 16:47:10.177639992 +0100 +++ /work/SRC/openSUSE:Factory/.yaml-cpp.new/yaml-cpp.changes 2018-02-15 13:27:32.543538520 +0100 @@ -1,0 +2,7 @@ +Wed Feb 14 16:01:53 UTC 2018 - [email protected] + +- Security fix: [bsc#1032144, CVE-2017-5950] + * Stack overflow in SingleDocParser::HandleNode() function + * Added patch yaml-cpp-CVE-2017-5950.patch + +------------------------------------------------------------------- New: ---- yaml-cpp-CVE-2017-5950.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yaml-cpp.spec ++++++ --- /var/tmp/diff_new_pack.6DhoZt/_old 2018-02-15 13:27:33.211514258 +0100 +++ /var/tmp/diff_new_pack.6DhoZt/_new 2018-02-15 13:27:33.211514258 +0100 @@ -28,6 +28,8 @@ # PATCH-FIX-UPSTREAM: do not override opts for linker as distro provides # correct ones Patch0: yaml-cpp-fix-pie.patch +# PATCH-FIX-UPSTREAM bsc#1032144 CVE-2017-5950 Stack overflow in SingleDocParser::HandleNode() +Patch1: yaml-cpp-CVE-2017-5950.patch BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: sed @@ -60,6 +62,7 @@ %prep %setup -q -n %{name}-%{name}-%{version} %patch0 -p1 +%patch1 -p1 %build export CC=gcc ++++++ yaml-cpp-CVE-2017-5950.patch ++++++ Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp =================================================================== --- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.cpp +++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp @@ -46,6 +46,9 @@ void SingleDocParser::HandleDocument(Eve } void SingleDocParser::HandleNode(EventHandler& eventHandler) { + if (depth > depth_limit) { + throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE); + } // an empty node *is* a possibility if (m_scanner.empty()) { eventHandler.OnNull(m_scanner.mark(), NullAnchor); @@ -57,9 +60,11 @@ void SingleDocParser::HandleNode(EventHa // special case: a value node by itself must be a map, with no header if (m_scanner.peek().type == Token::VALUE) { + depth++; eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default); HandleMap(eventHandler); eventHandler.OnMapEnd(); + depth--; return; } @@ -94,32 +99,42 @@ void SingleDocParser::HandleNode(EventHa m_scanner.pop(); return; case Token::FLOW_SEQ_START: + depth++; eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow); HandleSequence(eventHandler); eventHandler.OnSequenceEnd(); + depth--; return; case Token::BLOCK_SEQ_START: + depth++; eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block); HandleSequence(eventHandler); eventHandler.OnSequenceEnd(); + depth--; return; case Token::FLOW_MAP_START: + depth++; eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow); HandleMap(eventHandler); eventHandler.OnMapEnd(); + depth--; return; case Token::BLOCK_MAP_START: + depth++; eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block); HandleMap(eventHandler); eventHandler.OnMapEnd(); + depth--; return; case Token::KEY: // compact maps can only go in a flow sequence if (m_pCollectionStack->GetCurCollectionType() == CollectionType::FlowSeq) { + depth++; eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow); HandleMap(eventHandler); eventHandler.OnMapEnd(); + depth--; return; } break; Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h =================================================================== --- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.h +++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h @@ -51,6 +51,8 @@ class SingleDocParser : private noncopya anchor_t LookupAnchor(const Mark& mark, const std::string& name) const; private: + int depth = 0; + int depth_limit = 2048; Scanner& m_scanner; const Directives& m_directives; std::unique_ptr<CollectionStack> m_pCollectionStack;
