[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772969: marked as done (unblock: pyyaml/3.11-2)

Your message dated Fri, 12 Dec 2014 16:53:51 +0000
with message-id <db304c79e7563e3efb82b9459a59a13c@mail.adsl.funky-badger.org>
and subject line Re: Bug#772969: unblock: pyyaml/3.11-2
has caused the Debian Bug report #772969,
regarding unblock: pyyaml/3.11-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772969: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772969
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pyyaml

RC bug fix.  Resolves CVE-2014-9130.

unblock pyyaml/3.11-2

diff -u pyyaml-3.11/debian/changelog pyyaml-3.11/debian/changelog
--- pyyaml-3.11/debian/changelog
+++ pyyaml-3.11/debian/changelog
@@ -1,3 +1,11 @@
+pyyaml (3.11-2) unstable; urgency=medium
+
+  * Backport security fix for Reachable Assertion security issue (potential
+    remote DoS) - CVE-2014-9130 (Closes: #772815)
+    - Add debian/patches/CVE-2014-9130-invalid-key-assert.diff
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 12 Dec 2014 08:35:37 -0500
+
 pyyaml (3.11-1) unstable; urgency=medium
 
   [ Jakub Wilk ]
diff -u pyyaml-3.11/debian/patches/series pyyaml-3.11/debian/patches/series
--- pyyaml-3.11/debian/patches/series
+++ pyyaml-3.11/debian/patches/series
@@ -1,0 +2 @@
+CVE-2014-9130-invalid-key-assert.diff
only in patch2:
unchanged:
--- pyyaml-3.11.orig/debian/patches/CVE-2014-9130-invalid-key-assert.diff
+++ pyyaml-3.11/debian/patches/CVE-2014-9130-invalid-key-assert.diff
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi@resolvent.net>
+# Date 1417197216 21600
+# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc
+# Parent  263dff6f9664ccdc532283ba5c7b282c0e436a7b
+Removed invalid simple key assertion.
+
+diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py
+--- a/lib/yaml/scanner.py
++++ b/lib/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:
+diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py
+--- a/lib3/yaml/scanner.py
++++ b/lib3/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:

--- End Message ---
--- Begin Message --- 
On 2014-12-12 15:56, Scott Kitterman wrote:

Please unblock package pyyaml

RC bug fix.  Resolves CVE-2014-9130.


Unblocked, thanks.

Regards,

Adam

--- End Message ---
Reply to: