This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch squeeze
in repository libyaml-libyaml-perl.

commit 51169717d030108c4c86fbf0d6958b1b2021ad0f
Author: Salvatore Bonaccorso <car...@debian.org>
Date:   Sun Mar 23 08:28:23 2014 +0100

    Add CVE-2014-2525.patch patch
    
    CVE-2014-2525: Heap overflow when parsing YAML tags.
    
    The heap overflow is caused by not properly expanding a string before
    writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
---
 debian/patches/CVE-2014-2525.patch | 35 +++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 36 insertions(+)

diff --git a/debian/patches/CVE-2014-2525.patch 
b/debian/patches/CVE-2014-2525.patch
new file mode 100644
index 0000000..d80a9a6
--- /dev/null
+++ b/debian/patches/CVE-2014-2525.patch
@@ -0,0 +1,35 @@
+Description: CVE-2014-2525: Heap overflow when parsing YAML tags
+  The heap overflow is caused by not properly expanding a string before
+  writing to it in function yaml_parser_scan_uri_escapes in scanner.c. 
+Origin: upstream
+Last-Update: 2014-03-23
+
+--- a/LibYAML/scanner.c
++++ b/LibYAML/scanner.c
+@@ -2627,6 +2627,9 @@
+         /* Check if it is a URI-escape sequence. */
+ 
+         if (CHECK(parser->buffer, '%')) {
++            if (!STRING_EXTEND(parser, string))
++                goto error;
++
+             if (!yaml_parser_scan_uri_escapes(parser,
+                         directive, start_mark, &string)) goto error;
+         }
+--- a/LibYAML/yaml_private.h
++++ b/LibYAML/yaml_private.h
+@@ -128,9 +128,12 @@
+      (string).start = (string).pointer = (string).end = 0)
+ 
+ #define STRING_EXTEND(context,string)                                         
  \
+-    (((string).pointer+5 < (string).end)                                      
  \
++    ((((string).pointer+5 < (string).end)                                     
  \
+         || yaml_string_extend(&(string).start,                                
  \
+-            &(string).pointer, &(string).end))
++            &(string).pointer, &(string).end)) ?                              
  \
++         1 :                                                                  
  \
++        ((context)->error = YAML_MEMORY_ERROR,                                
  \
++         0))
+ 
+ #define CLEAR(context,string)                                                 
  \
+     ((string).pointer = (string).start,                                       
  \
diff --git a/debian/patches/series b/debian/patches/series
index 9119dca..3004f4e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ format-error.patch
 libyaml-string-overflow.patch
 libyaml-node-id-hardening.patch
 libyaml-guard-against-overflows-in-indent-and-flow_level.patch
+CVE-2014-2525.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-perl/packages/libyaml-libyaml-perl.git

_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits

Reply via email to