Add patch for CVE-2014-9130 (bug 1204829)

2015-03-23 12:43:21 -04:00 · 2015-03-23 12:43:21 -04:00 · c2497343a5
commit c2497343a5
parent 72978d4809
2 changed files with 45 additions and 1 deletions
--- a/PyYAML-CVE-2014-9130.patch
+++ b/PyYAML-CVE-2014-9130.patch
@ -0,0 +1,35 @@
+# HG changeset patch
+# User Kirill Simonov <xi@resolvent.net>
+# Date 1417197216 21600
+# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc
+# Parent  263dff6f9664ccdc532283ba5c7b282c0e436a7b
+Removed invalid simple key assertion.
+
+diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py
+--- a/lib/yaml/scanner.py
+++ b/lib/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:
+diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py
+--- a/lib3/yaml/scanner.py
+++ b/lib3/yaml/scanner.py
+@@ -297,10 +297,6 @@
+         # Check if a simple key is required at the current position.
+         required = not self.flow_level and self.indent == self.column
+ 
+-        # A simple key is required only if it is the first token in the current
+-        # line. Therefore it is always allowed.
+-        assert self.allow_simple_key or not required
+-
+         # The next token might be a simple key. Let's save it's number and
+         # position.
+         if self.allow_simple_key:
--- a/PyYAML.spec
+++ b/PyYAML.spec
@ -6,7 +6,7 @@

 Name:           PyYAML
 Version:        3.11
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        YAML parser and emitter for Python

 Group:          Development/Libraries
@ -27,6 +27,10 @@ BuildRequires: python3-Cython
 # https://bitbucket.org/xi/pyyaml/issue/35/test-fails-on-be-s390-x-ppc64
 Patch0: debian-big-endian-fix.patch

+# CVE-2014-9130 assert failure when processing wrapped strings
+# https://bugzilla.redhat.com/show_bug.cgi?id=1204829
+Patch1: PyYAML-CVE-2014-9130.patch
+
 %description
 YAML is a data serialization format designed for human readability and
 interaction with scripting languages.  PyYAML is a YAML parser and
@ -65,6 +69,8 @@ configuration files to object serialization and persistance.
 %patch0 -p1 -b .be
 chmod a-x examples/yaml-highlight/yaml_hl.py

+%patch1 -p1
+
 # remove pre-generated file
 rm -rf ext/_yaml.c

@ -121,6 +127,9 @@ popd


 %changelog
+* Mon Mar 23 2015 John Eckersberg <eck@redhat.com> - 3.11-7
+- Add patch for CVE-2014-9130 (bug 1204829)
+
 * Mon Sep 15 2014 Jakub Čajka <jcajka@redhat.com> - 3.11-6
 - fixed typecast issues using debian patch(int->size_t)(BZ#1140189)
 - spec file cleanup