[perl-YAML-LibYAML/el6] Add fixes for CVE-2013-6393 and CVE-2014-2525
Paul Howarth
pghmcfc at fedoraproject.org
Thu Mar 27 15:18:56 UTC 2014
commit 2e17fd3f16300ddd36d5bf1664bd6eee50a8494e
Author: Paul Howarth <paul at city-fan.org>
Date: Thu Mar 27 13:52:30 2014 +0000
Add fixes for CVE-2013-6393 and CVE-2014-2525
- Fix LibYAML input sanitization errors (CVE-2014-2525)
- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
YAML-LibYAML-0.38-CVE-2013-6393.patch | 105 +++++++++++++++++++++++++++++++++
YAML-LibYAML-0.38-CVE-2014-2525.patch | 38 ++++++++++++
perl-YAML-LibYAML.spec | 16 +++++-
3 files changed, 157 insertions(+), 2 deletions(-)
---
diff --git a/YAML-LibYAML-0.38-CVE-2013-6393.patch b/YAML-LibYAML-0.38-CVE-2013-6393.patch
new file mode 100644
index 0000000..61186cb
--- /dev/null
+++ b/YAML-LibYAML-0.38-CVE-2013-6393.patch
@@ -0,0 +1,105 @@
+--- LibYAML/api.c
++++ LibYAML/api.c
+@@ -117,7 +117,12 @@ yaml_string_join(
+ YAML_DECLARE(int)
+ yaml_stack_extend(void **start, void **top, void **end)
+ {
+- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
++ void *new_start;
++
++ if ((char *)*end - (char *)*start >= INT_MAX / 2)
++ return 0;
++
++ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+
+ if (!new_start) return 0;
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -615,11 +615,11 @@ yaml_parser_decrease_flow_level(yaml_par
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+
+ /*
+ * Token fetchers.
+@@ -1103,7 +1103,7 @@ yaml_parser_save_simple_key(yaml_parser_
+ */
+
+ int required = (!parser->flow_level
+- && parser->indent == (int)parser->mark.column);
++ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+ * A simple key is required only when it is the first token in the current
+@@ -1174,6 +1174,11 @@ yaml_parser_increase_flow_level(yaml_par
+
+ /* Increase the flow level. */
+
++ if (parser->flow_level == INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->flow_level++;
+
+ return 1;
+@@ -1204,8 +1209,8 @@ yaml_parser_decrease_flow_level(yaml_par
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+
+@@ -1224,6 +1229,11 @@ yaml_parser_roll_indent(yaml_parser_t *p
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
++ if (column > INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->indent = column;
+
+ /* Create a token and insert it into the queue. */
+@@ -1252,7 +1262,7 @@ yaml_parser_roll_indent(yaml_parser_t *p
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+ yaml_token_t token;
+
+@@ -2572,7 +2582,7 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
+
+ /* Resize the string to include the head. */
+
+- while (string.end - string.start <= (int)length) {
++ while ((size_t)(string.end - string.start) <= length) {
+ if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
+ parser->error = YAML_MEMORY_ERROR;
+ goto error;
+--- LibYAML/yaml_private.h
++++ LibYAML/yaml_private.h
+@@ -7,6 +7,7 @@
+
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+
+ /*
+ * Memory management.
diff --git a/YAML-LibYAML-0.38-CVE-2014-2525.patch b/YAML-LibYAML-0.38-CVE-2014-2525.patch
new file mode 100644
index 0000000..8dfa5b0
--- /dev/null
+++ b/YAML-LibYAML-0.38-CVE-2014-2525.patch
@@ -0,0 +1,38 @@
+Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
+ The heap overflow is caused by not properly expanding a string before
+ writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+
+Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2014-03-20
+Applied-Upstream: 0.1.6
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -2617,6 +2617,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
+ /* Check if it is a URI-escape sequence. */
+
+ if (CHECK(parser->buffer, '%')) {
++ if (!STRING_EXTEND(parser, string))
++ goto error;
++
+ if (!yaml_parser_scan_uri_escapes(parser,
+ directive, start_mark, &string)) goto error;
+ }
+--- LibYAML/yaml_private.h
++++ LibYAML/yaml_private.h
+@@ -127,9 +127,12 @@ yaml_string_join(
+ (string).start = (string).pointer = (string).end = 0)
+
+ #define STRING_EXTEND(context,string) \
+- (((string).pointer+5 < (string).end) \
++ ((((string).pointer+5 < (string).end) \
+ || yaml_string_extend(&(string).start, \
+- &(string).pointer, &(string).end))
++ &(string).pointer, &(string).end)) ? \
++ 1 : \
++ ((context)->error = YAML_MEMORY_ERROR, \
++ 0))
+
+ #define CLEAR(context,string) \
+ ((string).pointer = (string).start, \
diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec
index 28a77e1..f069d96 100644
--- a/perl-YAML-LibYAML.spec
+++ b/perl-YAML-LibYAML.spec
@@ -1,12 +1,14 @@
Name: perl-YAML-LibYAML
Version: 0.38
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Perl YAML Serialization using XS and libyaml
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/YAML-LibYAML/
Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
Patch0: YAML-LibYAML-0.35-format-error.patch
+Patch1: YAML-LibYAML-0.38-CVE-2014-2525.patch
+Patch2: YAML-LibYAML-0.38-CVE-2013-6393.patch
# Install
BuildRequires: perl(Cwd)
@@ -50,6 +52,12 @@ bound to Python and was later bound to Ruby.
# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
%patch0 -p1
+# Fix LibYAML input sanitization errors (CVE-2014-2525)
+%patch1
+
+# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
+%patch2
+
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
make %{?_smp_mflags}
@@ -71,6 +79,10 @@ make test
%{_mandir}/man3/YAML::XS::LibYAML.3pm*
%changelog
+* Thu Mar 27 2014 Paul Howarth <paul at city-fan.org> - 0.38-4
+- Fix LibYAML input sanitization errors (CVE-2014-2525)
+- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
+
* Mon Jun 11 2012 Petr Pisar <ppisar at redhat.com> - 0.38-3
- Perl 5.16 rebuild
- Build-require Data::Dumper
@@ -109,7 +121,7 @@ make test
* Wed Sep 29 2010 jkeating - 0.34-2
- Rebuilt for gcc bug 634757
-* Fri Sep 23 2010 Marcela Mašláňová <mmaslano at redhat.com> - 0.34-1
+* Fri Sep 24 2010 Marcela Mašláňová <mmaslano at redhat.com> - 0.34-1
- update
* Thu Jun 3 2010 Marcela Maslanova <mmaslano at redhat.com> - 0.33-1
More information about the perl-devel
mailing list