diff --git a/yaml-cpp-CVE-2017-5950.patch b/yaml-cpp-CVE-2017-5950.patch new file mode 100644 index 0000000..4f6ead8 --- /dev/null +++ b/yaml-cpp-CVE-2017-5950.patch @@ -0,0 +1,82 @@ +Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp +=================================================================== +--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.cpp ++++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp +@@ -46,6 +46,9 @@ void SingleDocParser::HandleDocument(Eve + } + + void SingleDocParser::HandleNode(EventHandler& eventHandler) { ++ if (depth > depth_limit) { ++ throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE); ++ } + // an empty node *is* a possibility + if (m_scanner.empty()) { + eventHandler.OnNull(m_scanner.mark(), NullAnchor); +@@ -57,9 +60,11 @@ void SingleDocParser::HandleNode(EventHa + + // special case: a value node by itself must be a map, with no header + if (m_scanner.peek().type == Token::VALUE) { ++ depth++; + eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default); + HandleMap(eventHandler); + eventHandler.OnMapEnd(); ++ depth--; + return; + } + +@@ -94,32 +99,42 @@ void SingleDocParser::HandleNode(EventHa + m_scanner.pop(); + return; + case Token::FLOW_SEQ_START: ++ depth++; + eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow); + HandleSequence(eventHandler); + eventHandler.OnSequenceEnd(); ++ depth--; + return; + case Token::BLOCK_SEQ_START: ++ depth++; + eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block); + HandleSequence(eventHandler); + eventHandler.OnSequenceEnd(); ++ depth--; + return; + case Token::FLOW_MAP_START: ++ depth++; + eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow); + HandleMap(eventHandler); + eventHandler.OnMapEnd(); ++ depth--; + return; + case Token::BLOCK_MAP_START: ++ depth++; + eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block); + HandleMap(eventHandler); + eventHandler.OnMapEnd(); ++ depth--; + return; + case Token::KEY: + // compact maps can only go in a flow sequence + if (m_pCollectionStack->GetCurCollectionType() == + CollectionType::FlowSeq) { ++ depth++; + eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow); + HandleMap(eventHandler); + eventHandler.OnMapEnd(); ++ depth--; + return; + } + break; +Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h +=================================================================== +--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.h ++++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h +@@ -51,6 +51,8 @@ class SingleDocParser : private noncopya + anchor_t LookupAnchor(const Mark& mark, const std::string& name) const; + + private: ++ int depth = 0; ++ int depth_limit = 2048; + Scanner& m_scanner; + const Directives& m_directives; + std::unique_ptr m_pCollectionStack; diff --git a/yaml-cpp.changes b/yaml-cpp.changes index d29200d..c52dc60 100644 --- a/yaml-cpp.changes +++ b/yaml-cpp.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 14 16:01:53 UTC 2018 - pmonrealgonzalez@suse.com + +- Security fix: [bsc#1032144, CVE-2017-5950] + * Stack overflow in SingleDocParser::HandleNode() function + * Added patch yaml-cpp-CVE-2017-5950.patch + ------------------------------------------------------------------- Fri Feb 2 16:56:09 UTC 2018 - tchvatal@suse.com diff --git a/yaml-cpp.spec b/yaml-cpp.spec index 3fb54e3..8fc31b3 100644 --- a/yaml-cpp.spec +++ b/yaml-cpp.spec @@ -28,6 +28,8 @@ Source: https://github.com/jbeder/yaml-cpp/archive/%{name}-%{version}.ta # PATCH-FIX-UPSTREAM: do not override opts for linker as distro provides # correct ones Patch0: yaml-cpp-fix-pie.patch +# PATCH-FIX-UPSTREAM bsc#1032144 CVE-2017-5950 Stack overflow in SingleDocParser::HandleNode() +Patch1: yaml-cpp-CVE-2017-5950.patch BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: sed @@ -60,6 +62,7 @@ Development files for %{name} library. %prep %setup -q -n %{name}-%{name}-%{version} %patch0 -p1 +%patch1 -p1 %build export CC=gcc