[libyaml-libyaml-perl] 01/01: Imported Debian patch 0.33-1+squeeze4
Salvatore Bonaccorso
carnil at debian.org
Sun Dec 14 15:06:43 UTC 2014
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch squeeze
in repository libyaml-libyaml-perl.
commit 01ecb329e6d8b14520178e09ec953840e12569bf
Author: Thorsten Alteholz <debian at alteholz.de>
Date: Sun Dec 14 14:05:24 2014 +0100
Imported Debian patch 0.33-1+squeeze4
---
debian/changelog | 9 +++++++++
debian/patches/CVE-2014-9130.patch | 28 ++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 38 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 79fd3ea..45afab1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libyaml-libyaml-perl (0.33-1+squeeze4) squeeze-lts; urgency=high
+
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * Add CVE-2014-9130.patch patch.
+ Fix CVE-2014-9130: assertion failure caused by wrapped strings.
+ (Closes: #771365)
+
+ -- Thorsten Alteholz <debian at alteholz.de> Sat, 14 Dec 2014 14:05:24 +0100
+
libyaml-libyaml-perl (0.33-1+squeeze3) squeeze-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2014-9130.patch b/debian/patches/CVE-2014-9130.patch
new file mode 100644
index 0000000..82b528c
--- /dev/null
+++ b/debian/patches/CVE-2014-9130.patch
@@ -0,0 +1,28 @@
+Description: Remove invalid simple key assertion
+ CVE-2014-9130: denial-of-service/application crash with untrusted
+ yaml input.
+Origin: upstream, https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
+Bug: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+Bug-Debian: https://bugs.debian.org/771365
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2014-11-29
+
+Index: libyaml-libyaml-perl-0.33/LibYAML/scanner.c
+===================================================================
+--- libyaml-libyaml-perl-0.33.orig/LibYAML/scanner.c 2014-12-14 13:46:11.000000000 +0100
++++ libyaml-libyaml-perl-0.33/LibYAML/scanner.c 2014-12-14 13:46:11.000000000 +0100
+@@ -1106,13 +1106,6 @@
+ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+- * A simple key is required only when it is the first token in the current
+- * line. Therefore it is always allowed. But we add a check anyway.
+- */
+-
+- assert(parser->simple_key_allowed || !required); /* Impossible. */
+-
+- /*
+ * If the current position may start a simple key, save it.
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
index 3004f4e..2fcc6cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ libyaml-string-overflow.patch
libyaml-node-id-hardening.patch
libyaml-guard-against-overflows-in-indent-and-flow_level.patch
CVE-2014-2525.patch
+CVE-2014-9130.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libyaml-libyaml-perl.git
More information about the Pkg-perl-cvs-commits
mailing list