Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libyaml-libyaml-perl: CVE-2014-9130: Wrapped strings cause assert failure

Related Vulnerabilities: CVE-2014-9130  

Source

Debian Bug report logs - #771365
libyaml-libyaml-perl: CVE-2014-9130: Wrapped strings cause assert failure

version graph

Package: src:libyaml-libyaml-perl; Maintainer for src:libyaml-libyaml-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 28 Nov 2014 20:21:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions libyaml-libyaml-perl/0.33-1, libyaml-libyaml-perl/0.38-3

Fixed in versions libyaml-libyaml-perl/0.33-1+squeeze4, libyaml-libyaml-perl/0.41-6, libyaml-libyaml-perl/0.38-3+deb7u3

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#771365; Package src:libyaml-libyaml-perl. (Fri, 28 Nov 2014 20:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 28 Nov 2014 20:21:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libyaml-libyaml-perl: CVE-2014-9130: Wrapped strings cause assert failure
Date: Fri, 28 Nov 2014 21:17:43 +0100
Source: libyaml-libyaml-perl
Version: 0.38-3
Severity: important
Tags: security upstream fixed-upstream

Hi

An assert is triggered by wrapped strings, see [1,2]. The patch
applied to the new upstream version was to comment out the assertion
and let the parser fail.

 [1] https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
 [2] http://www.openwall.com/lists/oss-security/2014/11/28/1
 [3] https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a

Regards,
Salvatore

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 28 Nov 2014 20:27:13 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 29 Nov 2014 07:42:23 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 29 Nov 2014 07:51:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 29 Nov 2014 07:51:14 GMT) (full text, mbox, link).

Message #14 received at 771365-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 771365-close@bugs.debian.org
Subject: Bug#771365: fixed in libyaml-libyaml-perl 0.41-6
Date: Sat, 29 Nov 2014 07:48:48 +0000
Source: libyaml-libyaml-perl
Source-Version: 0.41-6

We believe that the bug you reported is fixed in the latest version of
libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libyaml-libyaml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 29 Nov 2014 08:23:09 +0100
Source: libyaml-libyaml-perl
Binary: libyaml-libyaml-perl
Architecture: source amd64
Version: 0.41-6
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation
Closes: 771365
Changes:
 libyaml-libyaml-perl (0.41-6) unstable; urgency=high
 .
   * Team upload.
   * Add CVE-2014-9130.patch patch.
     Fix CVE-2014-9130: assertion failure caused by wrapped strings.
     (Closes: 771365)
Checksums-Sha1:
 93f646e1ec8ba121e0922a8b2665b58ba9a4f121 2172 libyaml-libyaml-perl_0.41-6.dsc
 bb25fe229a24975c1830e23d289d911ceb5ac3ad 6624 libyaml-libyaml-perl_0.41-6.debian.tar.xz
Checksums-Sha256:
 19e515e5f15e7480aa14461129117ba059a6e6a249a28c530086f8bf43e18e57 2172 libyaml-libyaml-perl_0.41-6.dsc
 75bb9f7ec0fb9c4c761cb8df3eaf21a6a06697ee3f8a3ed5251a6a81cb3f3634 6624 libyaml-libyaml-perl_0.41-6.debian.tar.xz
Files:
 fa656d63cea5f8790cc2e2ce9a06557f 2172 perl optional libyaml-libyaml-perl_0.41-6.dsc
 b275bee8588eba57849da535fbc5a50d 6624 perl optional libyaml-libyaml-perl_0.41-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUeXjUAAoJEAVMuPMTQ89EKCgP/jQ9i6zVODQcUh5nMa7xtn1I
3YhefJAjTzuQfbvc2SH/YUO6FW8axzYdlUDdEpWmeCNCx5ZYcoqU4Z9lHnCwmbU1
K8td3A3qr3hOA7wJgbV+VFo+fFGUPO9cddilUyc/7lsEWPhX0SC5gRk8H1/Lx2ZJ
NtJJU/cSDTr1aTTsfDN/+wZEt0mx2sOHT49MaTneduPEHvat1UkgHJwxG9bA2/WR
KazLtDgdqh+XWynsZ606NiD0s7V+iKsCllew3Y9OWg3lrulYfFhmF8hL5AeJl7lc
TPd1SjRV2RhXve7/fHRa44LRIS90AU9dAUx685Wp5SNJllqBlYNoUCHmXIAazOki
cwX99PlLQKr2tJF8kZODgBbp8WahmU2BDi+Pdy+GetvWpqHyxGQ5EiO0Y8DBcirn
/wlkUgF1ursshJQ20P1A+CAi9LViPyrrxmGd02WmkAxNiR7ju75uXNsgOJ+Upe6+
l769l+0lM/MK69RanrbJugGa9SOdumiCg7/Phtd7KbPg0L26Pxnqdr7DTqrHhP2f
Dk4C5ZT3nDhWc8c9wfGe94bforu2QIIOGKOE7xSCjr/kDLUHENIaoXGBjLtMMNek
bmbAcQbynwR52/G5nfgal3e6BjH6Lh6Y6aq6ruPK3NZWvmHlAa1CXq8iIbNdhksP
Voteqsm0beRjE41UKUC4
=VKqh
-----END PGP SIGNATURE-----

Reply sent to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility. (Sun, 14 Dec 2014 13:36:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 14 Dec 2014 13:36:14 GMT) (full text, mbox, link).

Message #19 received at 771365-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>
To: 771365-close@bugs.debian.org
Subject: Bug#771365: fixed in libyaml-libyaml-perl 0.33-1+squeeze4
Date: Sun, 14 Dec 2014 13:34:15 +0000
Source: libyaml-libyaml-perl
Source-Version: 0.33-1+squeeze4

We believe that the bug you reported is fixed in the latest version of
libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libyaml-libyaml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Dec 2014 14:05:24 +0100
Source: libyaml-libyaml-perl
Binary: libyaml-libyaml-perl
Architecture: source i386
Version: 0.33-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation
Closes: 771365
Changes: 
 libyaml-libyaml-perl (0.33-1+squeeze4) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Add CVE-2014-9130.patch patch.
     Fix CVE-2014-9130: assertion failure caused by wrapped strings.
     (Closes: #771365)
Checksums-Sha1: 
 0da297f1fee07fed53833be1744d2ed43c2df9a1 2175 libyaml-libyaml-perl_0.33-1+squeeze4.dsc
 1c058fc54ffdedd39d8a93926ac3bedda94fdb71 146030 libyaml-libyaml-perl_0.33.orig.tar.gz
 059a820eafba84bc48d6fa0b06166fb9283fa596 5463 libyaml-libyaml-perl_0.33-1+squeeze4.debian.tar.gz
 0b488cfde5095ab2f4811d75b01dff9113e2ab46 74514 libyaml-libyaml-perl_0.33-1+squeeze4_i386.deb
Checksums-Sha256: 
 97b3094dc00648cb263e57fd437b354ce352062db89238f9aa54def5ca9d5c46 2175 libyaml-libyaml-perl_0.33-1+squeeze4.dsc
 70c4f7604aeedfc374b64c94745963391eea192d285ffbf4234c4463d78363bc 146030 libyaml-libyaml-perl_0.33.orig.tar.gz
 50387c2d31a7c934a088b75201e58ddf06f80050adc622ddd69e06494fbfde9e 5463 libyaml-libyaml-perl_0.33-1+squeeze4.debian.tar.gz
 be55339c91239cec348856e54d8477581e2b0c85e499779edd31d2c713af814c 74514 libyaml-libyaml-perl_0.33-1+squeeze4_i386.deb
Files: 
 30513df83754e9a8660c15d68026e5ac 2175 perl optional libyaml-libyaml-perl_0.33-1+squeeze4.dsc
 001a21618af05ee3a12dbb8cd6bd9b13 146030 perl optional libyaml-libyaml-perl_0.33.orig.tar.gz
 0626daf905d91afc4de6286ca8d825ff 5463 perl optional libyaml-libyaml-perl_0.33-1+squeeze4.debian.tar.gz
 b553e70c4bf8d4982c15813f9d6a1ef5 74514 perl optional libyaml-libyaml-perl_0.33-1+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUjY9DXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHybIP/0BzjJz+nUUeVnZMWT15OpSf
oSsn21p2fJiwTaGNSEAnHJqkl/7G/fJ11UBqanaZnTpYglojnaz9TWasFTuvLrav
ge6MmJ23+qwHFwjYsDSHhciDvuwkZSg294LCS7p3x+lj7C/EOBMXWCV9VK/oNb5v
bKSCwKeFAARd2/jgTc25y1VoP/mfmhbOpNqrW62+reMRJMooddopkSkPx6HgfXDj
9wfkQBg3t390UPokzDWql6HOPeu8PQfKV/swUWyDOMn6LDo4kgaTW6H4UGLrUvI1
gMpkLGTu+l6sQLIrH43FpMxb1mfUAgc1JAyH/apQDTin0yUlMtQRSCSKZ65bB6eE
emX3pxU92FUf+YFKAEoOSKPzHztt4SqOkPdfKYsmzv8nT5KlHrk4ZQVpHi4wv3oH
+Eo4vLFZaUxs4RgkE/jDRWMHdbeGeMlu8c1lFhIntYRCOU/GThzR1VR49Ao4/Zg3
Vd47pLnH1mhGDTxz3n0PvZdIJDo2JzyEvsh0DEfMkz4oYOgxwp9QrSxvMeJKy2Gt
E7ry8ZeyE7jiAB9cyIqKoSi4Q8US44FqWCaJK1CN8N/UHYB614JltLuynQKMjxTT
BbDUHqALo+QSQr3QTsbZI/1EwF66+cmwKJ1W+3eMf4JEZgn0DnfVMO77fw06z/XC
M2yPW5osUVOOLr172Ebn
=fXEl
-----END PGP SIGNATURE-----

Marked as found in versions libyaml-libyaml-perl/0.33-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 14 Dec 2014 15:12:08 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 14 Dec 2014 21:21:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 14 Dec 2014 21:21:12 GMT) (full text, mbox, link).

Message #26 received at 771365-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 771365-close@bugs.debian.org
Subject: Bug#771365: fixed in libyaml-libyaml-perl 0.38-3+deb7u3
Date: Sun, 14 Dec 2014 21:17:21 +0000
Source: libyaml-libyaml-perl
Source-Version: 0.38-3+deb7u3

We believe that the bug you reported is fixed in the latest version of
libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libyaml-libyaml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Dec 2014 15:13:24 +0100
Source: libyaml-libyaml-perl
Binary: libyaml-libyaml-perl
Architecture: source amd64
Version: 0.38-3+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation
Closes: 771365
Changes: 
 libyaml-libyaml-perl (0.38-3+deb7u3) wheezy-security; urgency=high
 .
   * Team upload.
   * Add CVE-2014-9130.patch patch.
     Fix CVE-2014-9130: assertion failure caused by wrapped strings.
     (Closes: #771365)
Checksums-Sha1: 
 6c0c007f1de7803626754dda8118ca81c15858b7 2204 libyaml-libyaml-perl_0.38-3+deb7u3.dsc
 ddf5fcc51d700bdfc95aeff50eb3d29fba795eb0 6630 libyaml-libyaml-perl_0.38-3+deb7u3.debian.tar.gz
 9ad9b6f80a519796341ca677fb5bb838bb91b1e7 78568 libyaml-libyaml-perl_0.38-3+deb7u3_amd64.deb
Checksums-Sha256: 
 cca2a45e9516d623252adda68cc1dfba96a874b695040a26d37682f8be6f716d 2204 libyaml-libyaml-perl_0.38-3+deb7u3.dsc
 bcc4a63430ccb021b417891a9420fd93bab12391f1044806abd5a5f22bbbf7b0 6630 libyaml-libyaml-perl_0.38-3+deb7u3.debian.tar.gz
 a22928dac42664f94bce255334acc24b77ddd399879316c3388e2123963fcd52 78568 libyaml-libyaml-perl_0.38-3+deb7u3_amd64.deb
Files: 
 7d5b12aacab91afefcf6f98a39aed6f6 2204 perl optional libyaml-libyaml-perl_0.38-3+deb7u3.dsc
 02853005aeabf36c013c03a6fd1cf2c0 6630 perl optional libyaml-libyaml-perl_0.38-3+deb7u3.debian.tar.gz
 6ad6b64f9d4b635251fefa4736fbe9ef 78568 perl optional libyaml-libyaml-perl_0.38-3+deb7u3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUjEtVAAoJEAVMuPMTQ89E5g0P/3GjcAOCSRBEf0TXj5tJqT23
KTj8vuozgkJsiPIhJ5VyqYWRbhQs86H0jzqqnwWcPVB41FJfrpaaUFk7T+nDEk8C
LuWDGTUH2YIMqr1KsV9QD8t+IlPSY4s7tQjhyhxqyMjFHDGeGTNvRnaYoa8J5wK0
w82v+tlmWJjKQixtyJa+Byf/YhjtwCiOvMr0IwRHTRnPEd4elqcqih8J5LRMZ+ZA
6dETt1xjQhhgCr8XQ5JVtBvwEpduKjs5MM7oCPOKz/6To5IiqOUbkhd9UxJU7RqU
L1/THywze3qONOI1aZF2aMXQj9l7Ng5HJyYvTsNPRmvouuK58b9/wtuKEACfdCqP
DFvdECCTNXZ3mvccub3MI+XSqvElQo/unkqUwUpDuJh+TFkUQi17hNwd1/U1h8xB
rwwhaQfEP2fg+boU82mkxw48x4HEkGr2+FubdysOcxCpaEpR6TSzwiDSp97bcdwS
+H2ZPwTNZNHsoaDEt6k5KsMoTIUGGdsGACo63vt4w6V26zjAuxZwaaDIrHt0pPve
JGYcwNdmVrmbgiHBvyP6Tju2u0WY+gYSgHHCDRh8fPS+lmzsFwaZgRrEC4FG9vBb
42BFx6yU3jL5YCYoYvmbK0jO0dH9TxQuPbk3ZIXbSCYvoE8TLJxoJxoUSc8gDYIu
TwnbhfhfxxGTvcAnmkRI
=z7UM
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 Jan 2015 07:29:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:23:35 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started