[PyYAML/f20] Add patch for CVE-2014-9130 (bug 1204829)
John Eckersberg
jeckersb at fedoraproject.org
Mon Mar 23 17:11:06 UTC 2015
commit d8812118044f42e3801e9477151ff6714a4a4f73
Author: John Eckersberg <jeckersb at redhat.com>
Date: Mon Mar 23 12:43:21 2015 -0400
Add patch for CVE-2014-9130 (bug 1204829)
PyYAML-CVE-2014-9130.patch | 35 +++++++++++++++++++++++++++++++++++
PyYAML.spec | 11 ++++++++++-
2 files changed, 45 insertions(+), 1 deletion(-)
---
diff --git a/PyYAML-CVE-2014-9130.patch b/PyYAML-CVE-2014-9130.patch
new file mode 100644
index 0000000..c47a9b5
--- /dev/null
+++ b/PyYAML-CVE-2014-9130.patch
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1417197216 21600
+# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc
+# Parent 263dff6f9664ccdc532283ba5c7b282c0e436a7b
+Removed invalid simple key assertion.
+
+diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py
+--- a/lib/yaml/scanner.py
++++ b/lib/yaml/scanner.py
+@@ -297,10 +297,6 @@
+ # Check if a simple key is required at the current position.
+ required = not self.flow_level and self.indent == self.column
+
+- # A simple key is required only if it is the first token in the current
+- # line. Therefore it is always allowed.
+- assert self.allow_simple_key or not required
+-
+ # The next token might be a simple key. Let's save it's number and
+ # position.
+ if self.allow_simple_key:
+diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py
+--- a/lib3/yaml/scanner.py
++++ b/lib3/yaml/scanner.py
+@@ -297,10 +297,6 @@
+ # Check if a simple key is required at the current position.
+ required = not self.flow_level and self.indent == self.column
+
+- # A simple key is required only if it is the first token in the current
+- # line. Therefore it is always allowed.
+- assert self.allow_simple_key or not required
+-
+ # The next token might be a simple key. Let's save it's number and
+ # position.
+ if self.allow_simple_key:
diff --git a/PyYAML.spec b/PyYAML.spec
index 0d84d88..d21fa34 100644
--- a/PyYAML.spec
+++ b/PyYAML.spec
@@ -6,7 +6,7 @@
Name: PyYAML
Version: 3.10
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: YAML parser and emitter for Python
Group: Development/Libraries
@@ -27,6 +27,10 @@ BuildRequires: python3-Cython
# https://bitbucket.org/xi/pyyaml/issue/35/test-fails-on-be-s390-x-ppc64
Patch0: debian-big-endian-fix.patch
+# CVE-2014-9130 assert failure when processing wrapped strings
+# https://bugzilla.redhat.com/show_bug.cgi?id=1204829
+Patch1: PyYAML-CVE-2014-9130.patch
+
%description
YAML is a data serialization format designed for human readability and
interaction with scripting languages. PyYAML is a YAML parser and
@@ -65,6 +69,8 @@ configuration files to object serialization and persistance.
%patch0 -p1 -b .be
chmod a-x examples/yaml-highlight/yaml_hl.py
+%patch1 -p1
+
# remove pre-generated file
rm -rf ext/_yaml.c
@@ -117,6 +123,9 @@ popd
%changelog
+* Mon Mar 23 2015 John Eckersberg <eck at redhat.com> - 3.10-11
+- Add patch for CVE-2014-9130 (bug 1204829)
+
* Mon Sep 15 2014 Jakub Čajka <jcajka at redhat.com> - 3.10-10
- fixed typecast issues using debian patch(int->size_t)(BZ#1140189)
- spec file cleanup
More information about the scm-commits
mailing list