[libyaml/el5] Add updated indent/flow patches for CVE-2013-6393 (bz1063867)

John Eckersberg jeckersb at fedoraproject.org
Tue Feb 11 17:04:49 UTC 2014 

commit ff22cc8ea942e9815090c769cf8d94d577589db2
Author: John Eckersberg <jeckersb at redhat.com>
Date:   Tue Feb 11 12:05:21 2014 -0500

    Add updated indent/flow patches for CVE-2013-6393 (bz1063867)

 ...2013-6393-indent-and-flow-overflow-1-of-3.patch |   86 ++++++++++++
 ...2013-6393-indent-and-flow-overflow-2-of-3.patch |   33 +++++
 ...2013-6393-indent-and-flow-overflow-3-of-3.patch |   35 +++++
 ...l-CVE-2013-6393-indent-column-overflow-v2.patch |  140 --------------------
 libyaml.spec                                       |   11 ++-
 5 files changed, 163 insertions(+), 142 deletions(-)
---
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
new file mode 100644
index 0000000..777f148
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
@@ -0,0 +1,86 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391406104 21600
+#      Sun Feb 02 23:41:44 2014 -0600
+# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
+# Parent  da9bc6f12781a583076c7b60d057df5d7b50f96f
+Guard against overflows in indent and flow_level.
+
+diff -r da9bc6f12781 -r f859ed1eb757 src/scanner.c
+--- a/src/scanner.c	Sun Feb 02 20:54:05 2014 -0600
++++ b/src/scanner.c	Sun Feb 02 23:41:44 2014 -0600
+@@ -615,11 +615,11 @@
+  */
+ 
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+-        int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++        ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+ 
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+ 
+ /*
+  * Token fetchers.
+@@ -1103,7 +1103,7 @@
+      */
+ 
+     int required = (!parser->flow_level
+-            && parser->indent == (int)parser->mark.column);
++            && parser->indent == (ptrdiff_t)parser->mark.column);
+ 
+     /*
+      * A simple key is required only when it is the first token in the current
+@@ -1176,6 +1176,9 @@
+ 
+     /* Increase the flow level. */
+ 
++    if (parser->flow_level == INT_MAX)
++        return 0;
++
+     parser->flow_level++;
+ 
+     return 1;
+@@ -1206,8 +1209,8 @@
+  */
+ 
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+-        int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++        ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+     yaml_token_t token;
+ 
+@@ -1226,6 +1229,9 @@
+         if (!PUSH(parser, parser->indents, parser->indent))
+             return 0;
+ 
++        if (column > INT_MAX)
++            return 0;
++
+         parser->indent = column;
+ 
+         /* Create a token and insert it into the queue. */
+@@ -1254,7 +1260,7 @@
+ 
+ 
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+     yaml_token_t token;
+ 
+diff -r da9bc6f12781 -r f859ed1eb757 src/yaml_private.h
+--- a/src/yaml_private.h	Sun Feb 02 20:54:05 2014 -0600
++++ b/src/yaml_private.h	Sun Feb 02 23:41:44 2014 -0600
+@@ -7,6 +7,7 @@
+ 
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+ 
+ /*
+  * Memory management.
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
new file mode 100644
index 0000000..be6fc05
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
@@ -0,0 +1,33 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391408806 21600
+#      Mon Feb 03 00:26:46 2014 -0600
+# Node ID 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
+# Parent  f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
+Limit input size to SIZE_MAX/2.
+
+diff -r f859ed1eb757 -r 0df2fb962294 src/reader.c
+--- a/src/reader.c	Sun Feb 02 23:41:44 2014 -0600
++++ b/src/reader.c	Mon Feb 03 00:26:46 2014 -0600
+@@ -460,6 +460,10 @@
+ 
+     }
+ 
++    if (parser->offset >= PTRDIFF_MAX)
++        return yaml_parser_set_reader_error(parser, "input is too long",
++                PTRDIFF_MAX, -1);
++
+     return 1;
+ }
+ 
+diff -r f859ed1eb757 -r 0df2fb962294 src/yaml_private.h
+--- a/src/yaml_private.h	Sun Feb 02 23:41:44 2014 -0600
++++ b/src/yaml_private.h	Mon Feb 03 00:26:46 2014 -0600
+@@ -8,6 +8,7 @@
+ #include <assert.h>
+ #include <limits.h>
+ #include <stddef.h>
++#include <stdint.h>
+ 
+ /*
+  * Memory management.
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
new file mode 100644
index 0000000..1d686f4
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391409843 21600
+#      Mon Feb 03 00:44:03 2014 -0600
+# Node ID af3599437a87162554787c52d8b16eab553f537b
+# Parent  0df2fb962294f3a6df1450a3e08c6a0f74f9078c
+Forgot to set the error state.
+
+diff -r 0df2fb962294 -r af3599437a87 src/scanner.c
+--- a/src/scanner.c	Mon Feb 03 00:26:46 2014 -0600
++++ b/src/scanner.c	Mon Feb 03 00:44:03 2014 -0600
+@@ -1176,8 +1176,10 @@
+ 
+     /* Increase the flow level. */
+ 
+-    if (parser->flow_level == INT_MAX)
++    if (parser->flow_level == INT_MAX) {
++        parser->error = YAML_MEMORY_ERROR;
+         return 0;
++    }
+ 
+     parser->flow_level++;
+ 
+@@ -1229,8 +1231,10 @@
+         if (!PUSH(parser, parser->indents, parser->indent))
+             return 0;
+ 
+-        if (column > INT_MAX)
++        if (column > INT_MAX) {
++            parser->error = YAML_MEMORY_ERROR;
+             return 0;
++        }
+ 
+         parser->indent = column;
+ 
diff --git a/libyaml.spec b/libyaml.spec
index dc83e05..e02a897 100644
--- a/libyaml.spec
+++ b/libyaml.spec
@@ -4,7 +4,7 @@
 
 Name:       libyaml
 Version:    0.1.2
-Release:    5%{?dist}
+Release:    6%{?dist}
 Summary:    YAML 1.1 parser and emitter written in C
 
 Group:      System Environment/Libraries
@@ -17,7 +17,9 @@ BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # https://bugzilla.redhat.com/show_bug.cgi?id=1033990
 Patch0:     libyaml-CVE-2013-6393-string-overflow.patch
 Patch1:     libyaml-CVE-2013-6393-node-id-hardening.patch
-Patch2:     libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
+Patch2:     libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
+Patch3:     libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
+Patch4:     libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
 
 %description
 YAML is a data serialization format designed for human readability and
@@ -41,6 +43,8 @@ developing applications that use LibYAML.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 %configure
@@ -81,6 +85,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Tue Feb 11 2014 John Eckersberg <jeckersb at redhat.com> - 0.1.2-6
+- Add updated indent/flow patches for CVE-2013-6393 (bz1063867)
+
 * Wed Jan 29 2014 John Eckersberg <jeckersb at redhat.com> - 0.1.2-5
 - Add patches for CVE-2013-6393 (bz1033990)

More information about the scm-commits mailing list