Hello community, here is the log from the commit of package perl-YAML-LibYAML for openSUSE:Factory checked in at 2012-05-03 10:59:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-YAML-LibYAML (Old) and /work/SRC/openSUSE:Factory/.perl-YAML-LibYAML.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-YAML-LibYAML", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-YAML-LibYAML/perl-YAML-LibYAML.changes 2011-10-03 09:24:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.perl-YAML-LibYAML.new/perl-YAML-LibYAML.changes 2012-05-03 10:59:40.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Apr 25 23:01:47 UTC 2012 - pascal.ble...@opensuse.org + +- CVE-2012-1152: added patch to fix multiple format string flaws: + A remote attacker could provide a specially-crafted YAML document, which once + processed by the perl-YAML-LibYAML interface would lead to perl-YAML-LibYAML + based process crash. bnc#751503 + +------------------------------------------------------------------- New: ---- CVE-2012-1152-YAML-LibYAML-0.35-format-error.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-YAML-LibYAML.spec ++++++ --- /var/tmp/diff_new_pack.EBGayg/_old 2012-05-03 10:59:41.000000000 +0200 +++ /var/tmp/diff_new_pack.EBGayg/_new 2012-05-03 10:59:41.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-YAML-LibYAML # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,17 +16,17 @@ # - Name: perl-YAML-LibYAML Version: 0.37 -Release: 1 -License: GPL-1.0+ or Artistic-1.0 +Release: 0 %define cpan_name YAML-LibYAML Summary: YAML::LibYAML Perl module -Url: http://search.cpan.org/dist/YAML-LibYAML/ +License: GPL-1.0+ or Artistic-1.0 Group: Development/Libraries/Perl +Url: http://search.cpan.org/dist/YAML-LibYAML/ #Source: http://www.cpan.org/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz Source: %{cpan_name}-%{version}.tar.gz +Patch1: CVE-2012-1152-YAML-LibYAML-0.35-format-error.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl BuildRequires: perl-macros @@ -45,6 +45,7 @@ %prep %setup -q -n %{cpan_name}-%{version} +%patch1 -p1 %build %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" ++++++ CVE-2012-1152-YAML-LibYAML-0.35-format-error.patch ++++++ diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c --- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c 2011-04-03 18:28:08.000000000 +0200 +++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c 2011-04-08 09:25:49.633009787 +0200 @@ -188,7 +188,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -271,7 +271,7 @@ return return_sv; load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -314,7 +314,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(hash_ref, gv_stashpv(class, TRUE)); @@ -347,7 +347,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(array_ref, gv_stashpv(class, TRUE)); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org