[libyaml/el5] Add updated indent/flow patches for CVE-2013-6393 (bz1063867)
John Eckersberg
jeckersb at fedoraproject.org
Tue Feb 11 17:04:49 UTC 2014
commit ff22cc8ea942e9815090c769cf8d94d577589db2
Author: John Eckersberg <jeckersb at redhat.com>
Date: Tue Feb 11 12:05:21 2014 -0500
Add updated indent/flow patches for CVE-2013-6393 (bz1063867)
...2013-6393-indent-and-flow-overflow-1-of-3.patch | 86 ++++++++++++
...2013-6393-indent-and-flow-overflow-2-of-3.patch | 33 +++++
...2013-6393-indent-and-flow-overflow-3-of-3.patch | 35 +++++
...l-CVE-2013-6393-indent-column-overflow-v2.patch | 140 --------------------
libyaml.spec | 11 ++-
5 files changed, 163 insertions(+), 142 deletions(-)
---
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
new file mode 100644
index 0000000..777f148
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
@@ -0,0 +1,86 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391406104 21600
+# Sun Feb 02 23:41:44 2014 -0600
+# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
+# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f
+Guard against overflows in indent and flow_level.
+
+diff -r da9bc6f12781 -r f859ed1eb757 src/scanner.c
+--- a/src/scanner.c Sun Feb 02 20:54:05 2014 -0600
++++ b/src/scanner.c Sun Feb 02 23:41:44 2014 -0600
+@@ -615,11 +615,11 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+
+ /*
+ * Token fetchers.
+@@ -1103,7 +1103,7 @@
+ */
+
+ int required = (!parser->flow_level
+- && parser->indent == (int)parser->mark.column);
++ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+ * A simple key is required only when it is the first token in the current
+@@ -1176,6 +1176,9 @@
+
+ /* Increase the flow level. */
+
++ if (parser->flow_level == INT_MAX)
++ return 0;
++
+ parser->flow_level++;
+
+ return 1;
+@@ -1206,8 +1209,8 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+
+@@ -1226,6 +1229,9 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
++ if (column > INT_MAX)
++ return 0;
++
+ parser->indent = column;
+
+ /* Create a token and insert it into the queue. */
+@@ -1254,7 +1260,7 @@
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+ yaml_token_t token;
+
+diff -r da9bc6f12781 -r f859ed1eb757 src/yaml_private.h
+--- a/src/yaml_private.h Sun Feb 02 20:54:05 2014 -0600
++++ b/src/yaml_private.h Sun Feb 02 23:41:44 2014 -0600
+@@ -7,6 +7,7 @@
+
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+
+ /*
+ * Memory management.
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
new file mode 100644
index 0000000..be6fc05
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
@@ -0,0 +1,33 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391408806 21600
+# Mon Feb 03 00:26:46 2014 -0600
+# Node ID 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
+# Parent f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
+Limit input size to SIZE_MAX/2.
+
+diff -r f859ed1eb757 -r 0df2fb962294 src/reader.c
+--- a/src/reader.c Sun Feb 02 23:41:44 2014 -0600
++++ b/src/reader.c Mon Feb 03 00:26:46 2014 -0600
+@@ -460,6 +460,10 @@
+
+ }
+
++ if (parser->offset >= PTRDIFF_MAX)
++ return yaml_parser_set_reader_error(parser, "input is too long",
++ PTRDIFF_MAX, -1);
++
+ return 1;
+ }
+
+diff -r f859ed1eb757 -r 0df2fb962294 src/yaml_private.h
+--- a/src/yaml_private.h Sun Feb 02 23:41:44 2014 -0600
++++ b/src/yaml_private.h Mon Feb 03 00:26:46 2014 -0600
+@@ -8,6 +8,7 @@
+ #include <assert.h>
+ #include <limits.h>
+ #include <stddef.h>
++#include <stdint.h>
+
+ /*
+ * Memory management.
diff --git a/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch b/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
new file mode 100644
index 0000000..1d686f4
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1391409843 21600
+# Mon Feb 03 00:44:03 2014 -0600
+# Node ID af3599437a87162554787c52d8b16eab553f537b
+# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
+Forgot to set the error state.
+
+diff -r 0df2fb962294 -r af3599437a87 src/scanner.c
+--- a/src/scanner.c Mon Feb 03 00:26:46 2014 -0600
++++ b/src/scanner.c Mon Feb 03 00:44:03 2014 -0600
+@@ -1176,8 +1176,10 @@
+
+ /* Increase the flow level. */
+
+- if (parser->flow_level == INT_MAX)
++ if (parser->flow_level == INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
+ return 0;
++ }
+
+ parser->flow_level++;
+
+@@ -1229,8 +1231,10 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
+- if (column > INT_MAX)
++ if (column > INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
+ return 0;
++ }
+
+ parser->indent = column;
+
diff --git a/libyaml.spec b/libyaml.spec
index dc83e05..e02a897 100644
--- a/libyaml.spec
+++ b/libyaml.spec
@@ -4,7 +4,7 @@
Name: libyaml
Version: 0.1.2
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: YAML 1.1 parser and emitter written in C
Group: System Environment/Libraries
@@ -17,7 +17,9 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Patch0: libyaml-CVE-2013-6393-string-overflow.patch
Patch1: libyaml-CVE-2013-6393-node-id-hardening.patch
-Patch2: libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
+Patch2: libyaml-CVE-2013-6393-indent-and-flow-overflow-1-of-3.patch
+Patch3: libyaml-CVE-2013-6393-indent-and-flow-overflow-2-of-3.patch
+Patch4: libyaml-CVE-2013-6393-indent-and-flow-overflow-3-of-3.patch
%description
YAML is a data serialization format designed for human readability and
@@ -41,6 +43,8 @@ developing applications that use LibYAML.
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%build
%configure
@@ -81,6 +85,9 @@ rm -rf %{buildroot}
%changelog
+* Tue Feb 11 2014 John Eckersberg <jeckersb at redhat.com> - 0.1.2-6
+- Add updated indent/flow patches for CVE-2013-6393 (bz1063867)
+
* Wed Jan 29 2014 John Eckersberg <jeckersb at redhat.com> - 0.1.2-5
- Add patches for CVE-2013-6393 (bz1033990)
More information about the scm-commits
mailing list