[PyYAML/el5] Add patch for CVE-2014-9130 (bug 1204829)
John Eckersberg
jeckersb at fedoraproject.org
Mon Mar 23 18:25:27 UTC 2015
commit 4ef1fd5366a96ddb1d21ccaa536a09317290b3c4
Author: John Eckersberg <jeckersb at redhat.com>
Date: Mon Mar 23 12:43:21 2015 -0400
Add patch for CVE-2014-9130 (bug 1204829)
PyYAML-CVE-2014-9130.patch | 35 +++++++++++++++++++++++++++++++++++
PyYAML.spec | 11 ++++++++++-
2 files changed, 45 insertions(+), 1 deletion(-)
---
diff --git a/PyYAML-CVE-2014-9130.patch b/PyYAML-CVE-2014-9130.patch
new file mode 100644
index 0000000..c47a9b5
--- /dev/null
+++ b/PyYAML-CVE-2014-9130.patch
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi at resolvent.net>
+# Date 1417197216 21600
+# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc
+# Parent 263dff6f9664ccdc532283ba5c7b282c0e436a7b
+Removed invalid simple key assertion.
+
+diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py
+--- a/lib/yaml/scanner.py
++++ b/lib/yaml/scanner.py
+@@ -297,10 +297,6 @@
+ # Check if a simple key is required at the current position.
+ required = not self.flow_level and self.indent == self.column
+
+- # A simple key is required only if it is the first token in the current
+- # line. Therefore it is always allowed.
+- assert self.allow_simple_key or not required
+-
+ # The next token might be a simple key. Let's save it's number and
+ # position.
+ if self.allow_simple_key:
+diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py
+--- a/lib3/yaml/scanner.py
++++ b/lib3/yaml/scanner.py
+@@ -297,10 +297,6 @@
+ # Check if a simple key is required at the current position.
+ required = not self.flow_level and self.indent == self.column
+
+- # A simple key is required only if it is the first token in the current
+- # line. Therefore it is always allowed.
+- assert self.allow_simple_key or not required
+-
+ # The next token might be a simple key. Let's save it's number and
+ # position.
+ if self.allow_simple_key:
diff --git a/PyYAML.spec b/PyYAML.spec
index 57ab575..1fa8a4d 100644
--- a/PyYAML.spec
+++ b/PyYAML.spec
@@ -6,7 +6,7 @@
Name: PyYAML
Version: 3.09
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: YAML parser and emitter for Python
Group: Development/Libraries
@@ -22,6 +22,10 @@ BuildRequires: python3-devel
BuildRequires: python3-setuptools
%endif
+# CVE-2014-9130 assert failure when processing wrapped strings
+# https://bugzilla.redhat.com/show_bug.cgi?id=1204829
+Patch1: PyYAML-CVE-2014-9130.patch
+
%description
YAML is a data serialization format designed for human readability and
interaction with scripting languages. PyYAML is a YAML parser and
@@ -64,6 +68,8 @@ rm -rf %{py3dir}
cp -a . %{py3dir}
%endif
+%patch1 -p1
+
%build
CFLAGS="${RPM_OPT_FLAGS}" %{__python} setup.py --with-libyaml build
@@ -114,6 +120,9 @@ rm -rf %{buildroot}
%changelog
+* Mon Mar 23 2015 John Eckersberg <eck at redhat.com> - 3.09-11
+- Add patch for CVE-2014-9130 (bug 1204829)
+
* Mon Feb 3 2014 John Eckersberg <jeckersb at redhat.com> - 3.09-10
- Add Provides for python-yaml (BZ#740390)
More information about the scm-commits
mailing list