Accepting request 264652 from devel:libraries:c_c++

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/264652
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libyaml?expand=0&rev=13

CVE-2014-9130.patch

@@ -0,0 +1,16 @@
+diff --git a/src/scanner.c b/src/scanner.c
+index 88d4fa5..c5f3d2f 100644
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser)
+      * line.  Therefore it is always allowed.  But we add a check anyway.
+      */
+ 
+-    assert(parser->simple_key_allowed || !required);    /* Impossible. */
++    /* XXX This caused:
++     * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
++    assert(parser->simple_key_allowed || !required); */    /* Impossible. */
+ 
+     /*
+      * If the current position may start a simple key, save it.
+

libyaml.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Dec  3 12:49:34 UTC 2014 - jmassaguerpla@suse.com
+
+- fix CVE-2014-9130: libyaml: assert failure when processing
+  wrapped strings (bnc#907809)
+
+  CVE-2014-9130.patch contains the fix
+
 -------------------------------------------------------------------
 Fri Mar 28 16:10:41 UTC 2014 - jmassaguerpla@suse.com
 

libyaml.spec

@@ -22,6 +22,7 @@ Release:        0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://pyyaml.org/wiki/LibYAML
 Source:         http://pyyaml.org/download/libyaml/yaml-%{version}.tar.gz
+Patch0:         CVE-2014-9130.patch 
 BuildRequires:  pkg-config
 Summary:        A YAML 1.1 parser and emitter written in C
 License:        MIT
@@ -53,6 +54,7 @@ This package holds the development files for libyaml.
 
 %prep
 %setup -n yaml-%{version}
+%patch0 -p1
 
 %build
 %configure --with-pic --disable-static