Bug#772969: unblock: pyyaml/3.11-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#772969: unblock: pyyaml/3.11-2
From: Scott Kitterman <debian@kitterman.com>
Date: Fri, 12 Dec 2014 10:56:50 -0500
Message-id: <[🔎] 20141212155650.26811.33063.reportbug@kitterman-OptiPlex-9020M>
Reply-to: Scott Kitterman <debian@kitterman.com>, 772969@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pyyaml

RC bug fix.  Resolves CVE-2014-9130.

unblock pyyaml/3.11-2

diff -u pyyaml-3.11/debian/changelog pyyaml-3.11/debian/changelog
--- pyyaml-3.11/debian/changelog
+++ pyyaml-3.11/debian/changelog
@@ -1,3 +1,11 @@
+pyyaml (3.11-2) unstable; urgency=medium
+
+  * Backport security fix for Reachable Assertion security issue (potential
+    remote DoS) - CVE-2014-9130 (Closes: #772815)
+    - Add debian/patches/CVE-2014-9130-invalid-key-assert.diff
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 12 Dec 2014 08:35:37 -0500
+
 pyyaml (3.11-1) unstable; urgency=medium
 
   [ Jakub Wilk ]
diff -u pyyaml-3.11/debian/patches/series pyyaml-3.11/debian/patches/series
--- pyyaml-3.11/debian/patches/series
+++ pyyaml-3.11/debian/patches/series
@@ -1,0 +2 @@
+CVE-2014-9130-invalid-key-assert.diff
only in patch2:
unchanged:
--- pyyaml-3.11.orig/debian/patches/CVE-2014-9130-invalid-key-assert.diff
+++ pyyaml-3.11/debian/patches/CVE-2014-9130-invalid-key-assert.diff
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi@resolvent.net>
+# Date 1417197216 21600
+# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc
+# Parent  263dff6f9664ccdc532283ba5c7b282c0e436a7b
+Removed invalid simple key assertion.
+
+diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py
+--- a/lib/yaml/scanner.py
++++ b/lib/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:
+diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py
+--- a/lib3/yaml/scanner.py
++++ b/lib3/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:

Reply to:

Follow-Ups:
- Bug#772969: marked as done (unblock: pyyaml/3.11-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#772968: unblock: dose3/3.3~beta1-3
Next by Date: NEW changes in stable-new
Previous by thread: Bug#772968: unblock: dose3/3.3~beta1-3
Next by thread: Bug#772969: marked as done (unblock: pyyaml/3.11-2)
Index(es):
- Date
- Thread