[libyaml-libyaml-perl] 01/03: Add CVE-2014-9130.patch patch

Salvatore Bonaccorso carnil at debian.org
Sat Nov 29 07:45:10 UTC 2014 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libyaml-libyaml-perl.

commit e42cdf5b141151e7e3b3d8aba383f285ac1a8eb1
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Nov 29 08:20:21 2014 +0100

    Add CVE-2014-9130.patch patch
    
    Fix CVE-2014-9130: assertion failure caused by wrapped strings.
    
    Closes: 771365
---
 debian/patches/CVE-2014-9130.patch | 26 ++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 27 insertions(+)

diff --git a/debian/patches/CVE-2014-9130.patch b/debian/patches/CVE-2014-9130.patch
new file mode 100644
index 0000000..3528d7f
--- /dev/null
+++ b/debian/patches/CVE-2014-9130.patch
@@ -0,0 +1,26 @@
+Description: Remove invalid simple key assertion
+ CVE-2014-9130: denial-of-service/application crash with untrusted
+ yaml input
+Origin: upstream, https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
+Bug: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+Bug-Debian: https://bugs.debian.org/771365
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2014-11-29
+
+--- a/LibYAML/scanner.c
++++ b/LibYAML/scanner.c
+@@ -1106,13 +1106,6 @@ yaml_parser_save_simple_key(yaml_parser_
+             && parser->indent == (ptrdiff_t)parser->mark.column);
+ 
+     /*
+-     * A simple key is required only when it is the first token in the current
+-     * line.  Therefore it is always allowed.  But we add a check anyway.
+-     */
+-
+-    assert(parser->simple_key_allowed || !required);    /* Impossible. */
+-
+-    /*
+      * If the current position may start a simple key, save it.
+      */
+ 
diff --git a/debian/patches/series b/debian/patches/series
index d672fb4..ae79641 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ libyaml-string-overflow.patch
 libyaml-node-id-hardening.patch
 libyaml-guard-against-overflows-in-indent-and-flow_level.patch
 CVE-2014-2525.patch
+CVE-2014-9130.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libyaml-libyaml-perl.git

More information about the Pkg-perl-cvs-commits mailing list