libyaml: CVE-2014-2525: input sanitization errors

Debian Bug report logs - #742732
libyaml: CVE-2014-2525: input sanitization errors

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libyaml: CVE-2014-2525: input sanitization errors

Date: Wed, 26 Mar 2014 20:00:58 +0100

Package: libyaml
Version: 0.1.3-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for libyaml.

CVE-2014-2525[0]:
LibYAML input sanitization errors

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-2525
[1] http://www.ocert.org/advisories/ocert-2014-003.html

Regards,
Salvatore

Message #14 received at 742732@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 742732@bugs.debian.org

Subject: libyaml: diff for NMU version 0.1.4-3.2

Date: Thu, 27 Mar 2014 06:28:37 +0100

[Message part 1 (text/plain, inline)]

tags 742732 + patch
tags 742732 + pending
thanks

Hi Anders!

I've prepared an NMU for libyaml (versioned as 0.1.4-3.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer. Note that upstream has released 0.1.6
including the fix and the previous one.

Regards,
Salvatore

[libyaml-0.1.4-3.2-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 742732-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 742732-close@bugs.debian.org

Subject: Bug#742732: fixed in libyaml 0.1.4-3.2

Date: Sat, 29 Mar 2014 05:48:29 +0000

Source: libyaml
Source-Version: 0.1.4-3.2

We believe that the bug you reported is fixed in the latest version of
libyaml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libyaml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 27 Mar 2014 06:22:25 +0100
Source: libyaml
Binary: libyaml-0-2 libyaml-0-2-dbg libyaml-dev
Architecture: source amd64
Version: 0.1.4-3.2
Distribution: unstable
Urgency: high
Maintainer: Anders Kaseorg <andersk@mit.edu>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libyaml-0-2 - Fast YAML 1.1 parser and emitter library
 libyaml-0-2-dbg - Fast YAML 1.1 parser and emitter library (debugging symbols)
 libyaml-dev - Fast YAML 1.1 parser and emitter library (development)
Closes: 742732
Changes: 
 libyaml (0.1.4-3.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-2525.patch patch.
     CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes.
     The heap overflow is caused by not properly expanding a string before
     writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
     (Closes: #742732)
Checksums-Sha1: 
 e064c577e3943e1a8df91506b1c2bc62b763a82a 1924 libyaml_0.1.4-3.2.dsc
 20b1bcdfdce31d6db935f09a61f84880cfc0c39a 6248 libyaml_0.1.4-3.2.debian.tar.xz
 959bde12204fa821f07063cba5fc822c41c7e14d 47994 libyaml-0-2_0.1.4-3.2_amd64.deb
 a53a3713a32f0bb0fe6f03a0749971255b816645 97164 libyaml-0-2-dbg_0.1.4-3.2_amd64.deb
 34df10937ef765b5dbbc63e76b24239bbba42fab 57532 libyaml-dev_0.1.4-3.2_amd64.deb
Checksums-Sha256: 
 5746fa3ac13a5d89cdab0990863de4a1bfb3e57dfce8b05379974934db11fe9f 1924 libyaml_0.1.4-3.2.dsc
 1e190a62bfb19e491d05f3ee17c7ca8461d0f78ad9e8b0ee22f70f4542e85210 6248 libyaml_0.1.4-3.2.debian.tar.xz
 85b8684be5371474b6b462babf07303edcb4736ee16ceb9b20f44817c598f210 47994 libyaml-0-2_0.1.4-3.2_amd64.deb
 ee931974b278172f6391516582d3a5da9a824157dfbab4fc8c3a6b7cf6ac5dc5 97164 libyaml-0-2-dbg_0.1.4-3.2_amd64.deb
 6643beb1f83b59c0392f5558bac873740479257c1727c0fd8d4c7a06f105b5cc 57532 libyaml-dev_0.1.4-3.2_amd64.deb
Files: 
 e9584481a784401d40408ff422fe61ef 1924 libs optional libyaml_0.1.4-3.2.dsc
 c59c3b86d32bb0ac1f1bf7f6f5c55330 6248 libs optional libyaml_0.1.4-3.2.debian.tar.xz
 58640c378473c9d61890154f017b6623 47994 libs optional libyaml-0-2_0.1.4-3.2_amd64.deb
 bb16e4505ae8215842ff5d870b762f0d 97164 debug extra libyaml-0-2-dbg_0.1.4-3.2_amd64.deb
 ecd9522bd9759d70257b0bd30d0e8667 57532 libdevel optional libyaml-dev_0.1.4-3.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTM7YDAAoJEAVMuPMTQ89EeeMP/2bEWZDOj99VnyGRbinRpQOm
tLeHo7ubQtSE6bJUTSKAsgkYYPU49xbBPe8V+HWABLLsLTsHZaE0TXBI3BTiejOB
Q86wM/HknLC2ZGx2tR1KmXQm8i6hMfqqzIZ+7vr45/TWUA89wZ6FXB4WzKNyvM6G
29m4WEFVDFEo0iK3IJKoZENj2X4wvKE64bcavZiFCAqqh9MDPgK1XdiGVj69qFHb
QPn6Nt4fd21udt8+GmAa2bIdsgm3ZLvyGOrRPeaw/9vp5RlSjODbKoC1Ae5cHGrB
/HrMEdGo1rnmthAYD8XEL/tlpD+/cs3DhvN7ar5L3DOHiz0HymnTxa0HoHwUP2ms
iy110y0mekTD/XDFJhiC3pHq/NE/NUnTODO/B73JKsllPe25rFo1pmfLCAwC0eQQ
jzyGiqW2K/GrXRZ5N+TPcEDMXZ3iS3Oh46WSFGLlisMtgbYH0oFgnUKB4MQ2lOMb
TCwEXoQnh+siNNQkVBGj3IR4m4Iy9vyzZYTr4yuxCmR+Ush7zf4S5Eb0IlWxltt1
k0RuFkYiM8e99c40ixrlkNKJOXKPJkYOVZ9xvj8/A3OoTBcr6Fo8iuZ8Q1Njd8c/
3Ua6HXd2D3LoFl01XER8Hh8ENVNHaG31pltLudyM1M50lOibPPDs93W3YpC/I6Dq
SYgXaHLOzd/U6vu9upVi
=D566
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.