From 83296f9f6f865f813e094172eefac63b42f018a20fdb3057a70d70e0bca17ed3 Mon Sep 17 00:00:00 2001 From: Jordi Massaguer Date: Wed, 3 Dec 2014 13:00:09 +0000 Subject: [PATCH] - fix CVE-2014-9130: libyaml: assert failure when processing wrapped strings (bnc#907809) CVE-2014-9130.patch contains the fix OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libyaml?expand=0&rev=15 --- CVE-2014-9130.patch | 16 ++++++++++++++++ libyaml.changes | 8 ++++++++ libyaml.spec | 2 ++ 3 files changed, 26 insertions(+) create mode 100644 CVE-2014-9130.patch diff --git a/CVE-2014-9130.patch b/CVE-2014-9130.patch new file mode 100644 index 0000000..96e14d2 --- /dev/null +++ b/CVE-2014-9130.patch @@ -0,0 +1,16 @@ +diff --git a/src/scanner.c b/src/scanner.c +index 88d4fa5..c5f3d2f 100644 +--- a/src/scanner.c ++++ b/src/scanner.c +@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser) + * line. Therefore it is always allowed. But we add a check anyway. + */ + +- assert(parser->simple_key_allowed || !required); /* Impossible. */ ++ /* XXX This caused: ++ * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure ++ assert(parser->simple_key_allowed || !required); */ /* Impossible. */ + + /* + * If the current position may start a simple key, save it. + diff --git a/libyaml.changes b/libyaml.changes index dc40716..d8ebd2f 100644 --- a/libyaml.changes +++ b/libyaml.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 3 12:49:34 UTC 2014 - jmassaguerpla@suse.com + +- fix CVE-2014-9130: libyaml: assert failure when processing + wrapped strings (bnc#907809) + + CVE-2014-9130.patch contains the fix + ------------------------------------------------------------------- Fri Mar 28 16:10:41 UTC 2014 - jmassaguerpla@suse.com diff --git a/libyaml.spec b/libyaml.spec index 2745e3f..9f77f21 100644 --- a/libyaml.spec +++ b/libyaml.spec @@ -22,6 +22,7 @@ Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://pyyaml.org/wiki/LibYAML Source: http://pyyaml.org/download/libyaml/yaml-%{version}.tar.gz +Patch0: CVE-2014-9130.patch BuildRequires: pkg-config Summary: A YAML 1.1 parser and emitter written in C License: MIT @@ -53,6 +54,7 @@ This package holds the development files for libyaml. %prep %setup -n yaml-%{version} +%patch0 -p1 %build %configure --with-pic --disable-static