commit da43da31bb1dba3e2801e062aa179ac8d50aa538
Author: Paul Howarth <p...@city-fan.org>
Date: Thu Mar 27 13:52:30 2014 +0000
Add fixes for CVE-2013-6393 and CVE-2014-2525
- Fix LibYAML input sanitization errors (CVE-2014-2525)
- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
YAML-LibYAML-0.41-CVE-2013-6393.patch | 177 +++++++++++++++++++++++++++++++++
YAML-LibYAML-0.41-CVE-2014-2525.patch | 38 +++++++
perl-YAML-LibYAML.spec | 14 +++-
3 files changed, 228 insertions(+), 1 deletions(-)
---
diff --git a/YAML-LibYAML-0.41-CVE-2013-6393.patch
b/YAML-LibYAML-0.41-CVE-2013-6393.patch
new file mode 100644
index 0000000..e914e71
--- /dev/null
+++ b/YAML-LibYAML-0.41-CVE-2013-6393.patch
@@ -0,0 +1,177 @@
+# HG changeset patch
+# User Kirill Simonov <x...@resolvent.net>
+# Date 1391406104 21600
+# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
+# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f
+Guard against overflows in indent and flow_level.
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -615,11 +615,11 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+
+ /*
+ * Token fetchers.
+@@ -1103,7 +1103,7 @@
+ */
+
+ int required = (!parser->flow_level
+- && parser->indent == (int)parser->mark.column);
++ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+ * A simple key is required only when it is the first token in the current
+@@ -1176,6 +1176,9 @@
+
+ /* Increase the flow level. */
+
++ if (parser->flow_level == INT_MAX)
++ return 0;
++
+ parser->flow_level++;
+
+ return 1;
+@@ -1206,8 +1209,8 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+
+@@ -1226,6 +1229,9 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
++ if (column > INT_MAX)
++ return 0;
++
+ parser->indent = column;
+
+ /* Create a token and insert it into the queue. */
+@@ -1254,7 +1260,7 @@
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+ yaml_token_t token;
+
+--- LibYAML/yaml_private.h
++++ LibYAML/yaml_private.h
+@@ -7,6 +7,7 @@
+
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+
+ /*
+ * Memory management.
+# HG changeset patch
+# User Kirill Simonov <x...@resolvent.net>
+# Date 1391409843 21600
+# Node ID af3599437a87162554787c52d8b16eab553f537b
+# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
+Forgot to set the error state.
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -1176,8 +1176,10 @@
+
+ /* Increase the flow level. */
+
+- if (parser->flow_level == INT_MAX)
++ if (parser->flow_level == INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
+ return 0;
++ }
+
+ parser->flow_level++;
+
+@@ -1229,8 +1231,10 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
+- if (column > INT_MAX)
++ if (column > INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
+ return 0;
++ }
+
+ parser->indent = column;
+
+Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
+ This is a hardening patch also from Florian Weimer
+ <fwei...@redhat.com>. It is not required to fix this CVE however it
+ improves the robustness of the code against future issues by avoiding
+ large node ID's in a central place.
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
+Last-Update: 2014-01-29
+---
+# HG changeset patch
+# User Florian Weimer <fwei...@redhat.com>
+# Date 1389274355 -3600
+# Thu Jan 09 14:32:35 2014 +0100
+# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
+# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
+yaml_stack_extend: guard against integer overflow
+
+--- LibYAML/api.c
++++ LIBYAML/api.c
+@@ -117,7 +117,12 @@
+ YAML_DECLARE(int)
+ yaml_stack_extend(void **start, void **top, void **end)
+ {
+- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
++ void *new_start;
++
++ if ((char *)*end - (char *)*start >= INT_MAX / 2)
++ return 0;
++
++ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+
+ if (!new_start) return 0;
+
+Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading
to buffer overflow
+ This is a proposed patch from Florian Weimer <fwei...@redhat.com> for
+ the string overflow issue. It has been ack'd by upstream.
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
+Last-Update: 2014-01-29
+---
+# HG changeset patch
+# User Florian Weimer <fwei...@redhat.com>
+# Date 1389273500 -3600
+# Thu Jan 09 14:18:20 2014 +0100
+# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
+# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
+yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -2621,7 +2621,7 @@
+
+ /* Resize the string to include the head. */
+
+- while (string.end - string.start <= (int)length) {
++ while ((size_t)(string.end - string.start) <= length) {
+ if (!yaml_string_extend(&string.start, &string.pointer, &string.end))
{
+ parser->error = YAML_MEMORY_ERROR;
+ goto error;
diff --git a/YAML-LibYAML-0.41-CVE-2014-2525.patch
b/YAML-LibYAML-0.41-CVE-2014-2525.patch
new file mode 100644
index 0000000..82b8b63
--- /dev/null
+++ b/YAML-LibYAML-0.41-CVE-2014-2525.patch
@@ -0,0 +1,38 @@
+Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
+ The heap overflow is caused by not properly expanding a string before
+ writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+
+Origin: backport,
https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2014-03-20
+Applied-Upstream: 0.1.6
+
+--- LibYAML/scanner.c
++++ LibYAML/scanner.c
+@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
+ /* Check if it is a URI-escape sequence. */
+
+ if (CHECK(parser->buffer, '%')) {
++ if (!STRING_EXTEND(parser, string))
++ goto error;
++
+ if (!yaml_parser_scan_uri_escapes(parser,
+ directive, start_mark, &string)) goto error;
+ }
+--- LibYAML/yaml_private.h
++++ LibYAML/yaml_private.h
+@@ -132,9 +132,12 @@ yaml_string_join(
+ (string).start = (string).pointer = (string).end = 0)
+
+ #define STRING_EXTEND(context,string)
\
+- (((string).pointer+5 < (string).end)
\
++ ((((string).pointer+5 < (string).end)
\
+ || yaml_string_extend(&(string).start,
\
+- &(string).pointer, &(string).end))
++ &(string).pointer, &(string).end)) ?
\
++ 1 :
\
++ ((context)->error = YAML_MEMORY_ERROR,
\
++ 0))
+
+ #define CLEAR(context,string)
\
+ ((string).pointer = (string).start,
\
diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec
index 86c8b70..0d09fee 100644
--- a/perl-YAML-LibYAML.spec
+++ b/perl-YAML-LibYAML.spec
@@ -1,12 +1,14 @@
Name: perl-YAML-LibYAML
Version: 0.41
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Perl YAML Serialization using XS and libyaml
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/YAML-LibYAML/
Source0:
http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
Patch0: YAML-LibYAML-0.35-format-error.patch
+Patch1: YAML-LibYAML-0.41-CVE-2014-2525.patch
+Patch2: YAML-LibYAML-0.41-CVE-2013-6393.patch
# Install
BuildRequires: perl(Cwd)
@@ -50,6 +52,12 @@ bound to Python and was later bound to Ruby.
# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
%patch0 -p1
+# Fix LibYAML input sanitization errors (CVE-2014-2525)
+%patch1
+
+# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
+%patch2
+
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
make %{?_smp_mflags}
@@ -71,6 +79,10 @@ make test
%{_mandir}/man3/YAML::XS::LibYAML.3pm*
%changelog
+* Thu Mar 27 2014 Paul Howarth <p...@city-fan.org> - 0.41-4
+- Fix LibYAML input sanitization errors (CVE-2014-2525)
+- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
+
* Sun Aug 04 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.41-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
