--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package libyaml-libyaml-perl
It addresses #771365. Wrapped strings trigger an assertion. Upstream
for libyaml itself removed the assertion an let the parser fail
correctly. libyaml-libyaml-perl is affected from the same issue as it
embedds libyaml. CVE-2014-9130 was assigned for this issue, as
applications using libyaml can be crashed ith untrusted yaml input.
http://www.openwall.com/lists/oss-security/2014/11/28/1
http://security-tracker.debian.org/tracker/CVE-2014-9130
The changelog for the 0.41-6 upload is:
+libyaml-libyaml-perl (0.41-6) unstable; urgency=high
+
+ * Team upload.
+ * Add CVE-2014-9130.patch patch.
+ Fix CVE-2014-9130: assertion failure caused by wrapped strings.
+ (Closes: 771365)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 29 Nov 2014 08:23:09 +0100
Attached is also the full used debdiff.
unblock libyaml-libyaml-perl/0.41-6
Thanks a lot for considering,
Regards,
Salvatore
diff -Nru libyaml-libyaml-perl-0.41/debian/changelog libyaml-libyaml-perl-0.41/debian/changelog
--- libyaml-libyaml-perl-0.41/debian/changelog 2014-03-26 20:03:55.000000000 +0100
+++ libyaml-libyaml-perl-0.41/debian/changelog 2014-11-29 08:33:49.000000000 +0100
@@ -1,3 +1,12 @@
+libyaml-libyaml-perl (0.41-6) unstable; urgency=high
+
+ * Team upload.
+ * Add CVE-2014-9130.patch patch.
+ Fix CVE-2014-9130: assertion failure caused by wrapped strings.
+ (Closes: 771365)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 29 Nov 2014 08:23:09 +0100
+
libyaml-libyaml-perl (0.41-5) unstable; urgency=high
* Team upload.
diff -Nru libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch
--- libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch 1970-01-01 01:00:00.000000000 +0100
+++ libyaml-libyaml-perl-0.41/debian/patches/CVE-2014-9130.patch 2014-11-29 08:33:49.000000000 +0100
@@ -0,0 +1,26 @@
+Description: Remove invalid simple key assertion
+ CVE-2014-9130: denial-of-service/application crash with untrusted
+ yaml input
+Origin: upstream, https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
+Bug: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+Bug-Debian: https://bugs.debian.org/771365
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-29
+
+--- a/LibYAML/scanner.c
++++ b/LibYAML/scanner.c
+@@ -1106,13 +1106,6 @@ yaml_parser_save_simple_key(yaml_parser_
+ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+- * A simple key is required only when it is the first token in the current
+- * line. Therefore it is always allowed. But we add a check anyway.
+- */
+-
+- assert(parser->simple_key_allowed || !required); /* Impossible. */
+-
+- /*
+ * If the current position may start a simple key, save it.
+ */
+
diff -Nru libyaml-libyaml-perl-0.41/debian/patches/series libyaml-libyaml-perl-0.41/debian/patches/series
--- libyaml-libyaml-perl-0.41/debian/patches/series 2014-03-26 20:03:55.000000000 +0100
+++ libyaml-libyaml-perl-0.41/debian/patches/series 2014-11-29 08:33:49.000000000 +0100
@@ -4,3 +4,4 @@
libyaml-node-id-hardening.patch
libyaml-guard-against-overflows-in-indent-and-flow_level.patch
CVE-2014-2525.patch
+CVE-2014-9130.patch
--- End Message ---
--- Begin Message ---
On 2014-11-29 16:27, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Hi Release Team,
>
> Please unblock package libyaml-libyaml-perl
>
> It addresses #771365. Wrapped strings trigger an assertion. Upstream
> for libyaml itself removed the assertion an let the parser fail
> correctly. libyaml-libyaml-perl is affected from the same issue as it
> embedds libyaml. CVE-2014-9130 was assigned for this issue, as
> applications using libyaml can be crashed ith untrusted yaml input.
>
> http://www.openwall.com/lists/oss-security/2014/11/28/1
> http://security-tracker.debian.org/tracker/CVE-2014-9130
>
> The changelog for the 0.41-6 upload is:
>
> [...]
> Attached is also the full used debdiff.
>
> unblock libyaml-libyaml-perl/0.41-6
>
> Thanks a lot for considering,
>
> Regards,
> Salvatore
>
Unblocked, thanks.
~Niels
--- End Message ---