[libyaml] Add patch for CVE-2014-9130 (RHBZ#1169371)
John Eckersberg
jeckersb at fedoraproject.org
Mon Dec 1 15:54:45 UTC 2014
commit e83b799e1f739e557c621c9aabee663b477ad7fc
Author: John Eckersberg <jeckersb at redhat.com>
Date: Mon Dec 1 10:50:02 2014 -0500
Add patch for CVE-2014-9130 (RHBZ#1169371)
libyaml-CVE-2014-9130.patch | 28 ++++++++++++++++++++++++++++
libyaml.spec | 9 ++++++++-
2 files changed, 36 insertions(+), 1 deletions(-)
---
diff --git a/libyaml-CVE-2014-9130.patch b/libyaml-CVE-2014-9130.patch
new file mode 100644
index 0000000..00e15f3
--- /dev/null
+++ b/libyaml-CVE-2014-9130.patch
@@ -0,0 +1,28 @@
+From e6aa721cc0e5a48f408c52355559fd36780ba32a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy at ingy.net>
+Date: Fri, 28 Nov 2014 09:21:49 -0800
+Subject: [PATCH] Fix for https://bitbucket.org/xi/libyaml/issue/10/
+
+https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+
+Commenting out the assert makes the scanner do the right thing and
+results in just a simple parse failure.
+---
+ src/scanner.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/scanner.c b/src/scanner.c
+index 88d4fa5..c5f3d2f 100644
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser)
+ * line. Therefore it is always allowed. But we add a check anyway.
+ */
+
+- assert(parser->simple_key_allowed || !required); /* Impossible. */
++ /* XXX This caused:
++ * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
++ assert(parser->simple_key_allowed || !required); */ /* Impossible. */
+
+ /*
+ * If the current position may start a simple key, save it.
diff --git a/libyaml.spec b/libyaml.spec
index 4c8b2cd..7b18506 100644
--- a/libyaml.spec
+++ b/libyaml.spec
@@ -4,7 +4,7 @@
Name: libyaml
Version: 0.1.6
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: YAML 1.1 parser and emitter written in C
Group: System Environment/Libraries
@@ -13,6 +13,8 @@ URL: http://pyyaml.org/
Source0: http://pyyaml.org/download/libyaml/%{tarballname}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0: libyaml-CVE-2014-9130.patch
+
%description
YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and
@@ -33,6 +35,8 @@ developing applications that use LibYAML.
%prep
%setup -q -n %{tarballname}-%{version}
+%patch0 -p1
+
%build
%configure
make %{?_smp_mflags}
@@ -79,6 +83,9 @@ rm -rf %{buildroot}
%changelog
+* Mon Dec 1 2014 John Eckersberg <eck at redhat.com> - 0.1.6-6
+- Add patch for CVE-2014-9130 (RHBZ#1169371)
+
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.1.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list