From d61772d0007f10aed4322a86b2f299eb0cf26a77d777eec830af1aa9c0417dfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 14 Feb 2018 17:48:05 +0000
Subject: [PATCH] Accepting request 576810 from
 home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: [bsc#1032144, CVE-2017-5950]
  * Stack overflow in SingleDocParser::HandleNode() function
  * Added patch yaml-cpp-CVE-2017-5950.patch

OBS-URL: https://build.opensuse.org/request/show/576810
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/yaml-cpp?expand=0&rev=22
---
 yaml-cpp-CVE-2017-5950.patch | 82 ++++++++++++++++++++++++++++++++++++
 yaml-cpp.changes             |  7 +++
 yaml-cpp.spec                |  3 ++
 3 files changed, 92 insertions(+)
 create mode 100644 yaml-cpp-CVE-2017-5950.patch

diff --git a/yaml-cpp-CVE-2017-5950.patch b/yaml-cpp-CVE-2017-5950.patch
new file mode 100644
index 0000000..4f6ead8
--- /dev/null
+++ b/yaml-cpp-CVE-2017-5950.patch
@@ -0,0 +1,82 @@
+Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp
+===================================================================
+--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.cpp
++++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp
+@@ -46,6 +46,9 @@ void SingleDocParser::HandleDocument(Eve
+ }
+ 
+ void SingleDocParser::HandleNode(EventHandler& eventHandler) {
++  if (depth > depth_limit) {
++    throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE);
++  }
+   // an empty node *is* a possibility
+   if (m_scanner.empty()) {
+     eventHandler.OnNull(m_scanner.mark(), NullAnchor);
+@@ -57,9 +60,11 @@ void SingleDocParser::HandleNode(EventHa
+ 
+   // special case: a value node by itself must be a map, with no header
+   if (m_scanner.peek().type == Token::VALUE) {
++    depth++;
+     eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default);
+     HandleMap(eventHandler);
+     eventHandler.OnMapEnd();
++    depth--;
+     return;
+   }
+ 
+@@ -94,32 +99,42 @@ void SingleDocParser::HandleNode(EventHa
+       m_scanner.pop();
+       return;
+     case Token::FLOW_SEQ_START:
++      depth++;
+       eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow);
+       HandleSequence(eventHandler);
+       eventHandler.OnSequenceEnd();
++      depth--;
+       return;
+     case Token::BLOCK_SEQ_START:
++      depth++;
+       eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block);
+       HandleSequence(eventHandler);
+       eventHandler.OnSequenceEnd();
++      depth--;
+       return;
+     case Token::FLOW_MAP_START:
++      depth++;
+       eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
+       HandleMap(eventHandler);
+       eventHandler.OnMapEnd();
++      depth--;
+       return;
+     case Token::BLOCK_MAP_START:
++      depth++;
+       eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block);
+       HandleMap(eventHandler);
+       eventHandler.OnMapEnd();
++      depth--;
+       return;
+     case Token::KEY:
+       // compact maps can only go in a flow sequence
+       if (m_pCollectionStack->GetCurCollectionType() ==
+           CollectionType::FlowSeq) {
++        depth++;
+         eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
+         HandleMap(eventHandler);
+         eventHandler.OnMapEnd();
++        depth--;
+         return;
+       }
+       break;
+Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h
+===================================================================
+--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.h
++++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h
+@@ -51,6 +51,8 @@ class SingleDocParser : private noncopya
+   anchor_t LookupAnchor(const Mark& mark, const std::string& name) const;
+ 
+  private:
++  int depth = 0;
++  int depth_limit = 2048;
+   Scanner& m_scanner;
+   const Directives& m_directives;
+   std::unique_ptr<CollectionStack> m_pCollectionStack;
diff --git a/yaml-cpp.changes b/yaml-cpp.changes
index d29200d..c52dc60 100644
--- a/yaml-cpp.changes
+++ b/yaml-cpp.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb 14 16:01:53 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Security fix: [bsc#1032144, CVE-2017-5950]
+  * Stack overflow in SingleDocParser::HandleNode() function
+  * Added patch yaml-cpp-CVE-2017-5950.patch
+
 -------------------------------------------------------------------
 Fri Feb  2 16:56:09 UTC 2018 - tchvatal@suse.com
 
diff --git a/yaml-cpp.spec b/yaml-cpp.spec
index 3fb54e3..8fc31b3 100644
--- a/yaml-cpp.spec
+++ b/yaml-cpp.spec
@@ -28,6 +28,8 @@ Source:         https://github.com/jbeder/yaml-cpp/archive/%{name}-%{version}.ta
 # PATCH-FIX-UPSTREAM: do not override opts for linker as distro provides
 # correct ones
 Patch0:         yaml-cpp-fix-pie.patch
+# PATCH-FIX-UPSTREAM bsc#1032144 CVE-2017-5950 Stack overflow in SingleDocParser::HandleNode()
+Patch1:         yaml-cpp-CVE-2017-5950.patch
 BuildRequires:  cmake
 BuildRequires:  pkgconfig
 BuildRequires:  sed
@@ -60,6 +62,7 @@ Development files for %{name} library.
 %prep
 %setup -q -n %{name}-%{name}-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 export CC=gcc