merge

OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-YAML-LibYAML?expand=0&rev=6

CVE-2012-1152-YAML-LibYAML-0.35-format-error.patch

@@ -0,0 +1,39 @@
+diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c
+--- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c	2011-04-03 18:28:08.000000000 +0200
++++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c	2011-04-08 09:25:49.633009787 +0200
+@@ -188,7 +188,7 @@
+     return;
+ 
+ load_error:
+-    croak(loader_error_msg(&loader, NULL));
++    croak("%s", loader_error_msg(&loader, NULL));
+ }
+ 
+ /*
+@@ -271,7 +271,7 @@
+     return return_sv;
+ 
+     load_error:
+-        croak(loader_error_msg(loader, NULL));
++        croak("%s", loader_error_msg(loader, NULL));
+ }
+ 
+ /*
+@@ -314,7 +314,7 @@
+         else if (strlen(tag) <= strlen(prefix) ||
+             ! strnEQ(tag, prefix, strlen(prefix))
+         ) croak(
+-            loader_error_msg(loader, form("bad tag found for hash: '%s'", tag))
++            "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag))
+         );
+         class = tag + strlen(prefix);
+         sv_bless(hash_ref, gv_stashpv(class, TRUE)); 
+@@ -347,7 +347,7 @@
+         else if (strlen(tag) <= strlen(prefix) ||
+             ! strnEQ(tag, prefix, strlen(prefix))
+         ) croak(
+-            loader_error_msg(loader, form("bad tag found for array: '%s'", tag))
++            "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag))
+         );
+         class = tag + strlen(prefix);
+         sv_bless(array_ref, gv_stashpv(class, TRUE)); 

perl-YAML-LibYAML.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 25 23:01:47 UTC 2012 - pascal.bleser@opensuse.org
+
+- CVE-2012-1152: added patch to fix multiple format string flaws:
+  A remote attacker could provide a specially-crafted YAML document, which once
+  processed by the perl-YAML-LibYAML interface would lead to perl-YAML-LibYAML
+  based process crash. bnc#751503
+
 -------------------------------------------------------------------
 Sun Oct 02 23:37:11 UTC 2011 - pascal.bleser@opensuse.org
 

perl-YAML-LibYAML.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-YAML-LibYAML
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,17 +16,17 @@
 #
 
 
-
 Name:           perl-YAML-LibYAML
 Version:        0.37
-Release:        1
+Release:        0
-License:        GPL-1.0+ or Artistic-1.0
 %define cpan_name YAML-LibYAML
 Summary:        YAML::LibYAML Perl module
-Url:            http://search.cpan.org/dist/YAML-LibYAML/
+License:        GPL-1.0+ or Artistic-1.0
 Group:          Development/Libraries/Perl
+Url:            http://search.cpan.org/dist/YAML-LibYAML/
 #Source:         http://www.cpan.org/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
 Source:         %{cpan_name}-%{version}.tar.gz
+Patch1:         CVE-2012-1152-YAML-LibYAML-0.35-format-error.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
 BuildRequires:  perl-macros
@@ -45,6 +45,7 @@ to work exactly like YAML.pm's corresponding functions.
 
 %prep
 %setup -q -n %{cpan_name}-%{version}
+%patch1 -p1
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"