From 9f5106c6895fb62b6e4d754ec7c7aa4b34699a04 Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Wed, 29 Jan 2014 12:21:05 -0500
Subject: [PATCH] Add patches for CVE-2013-6393 (bz1033990)

---
 ...-2013-6393-indent-column-overflow-v2.patch | 140 ++++++++++++++++++
 libyaml-CVE-2013-6393-node-id-hardening.patch |  25 ++++
 libyaml-CVE-2013-6393-string-overflow.patch   |  20 +++
 libyaml.spec                                  |  14 +-
 4 files changed, 197 insertions(+), 2 deletions(-)
 create mode 100644 libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
 create mode 100644 libyaml-CVE-2013-6393-node-id-hardening.patch
 create mode 100644 libyaml-CVE-2013-6393-string-overflow.patch

diff --git a/libyaml-CVE-2013-6393-indent-column-overflow-v2.patch b/libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
new file mode 100644
index 0000000..a62c9d1
--- /dev/null
+++ b/libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
@@ -0,0 +1,140 @@
+# HG changeset patch
+# User John Eckersberg <jeckersb@redhat.com>
+# Date 1390870108 18000
+#      Mon Jan 27 19:48:28 2014 -0500
+# Node ID 7179aa474f31e73834adda26b77bfc25bfe5143d
+# Parent  3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
+yaml_parser-{un,}roll-indent: fix int overflow in column argument
+
+diff -r 3e6507fa0c26 -r 7179aa474f31 src/scanner.c
+--- a/src/scanner.c	Mon Dec 24 03:51:32 2012 +0000
++++ b/src/scanner.c	Mon Jan 27 19:48:28 2014 -0500
+@@ -615,11 +615,14 @@
+  */
+ 
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
++yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
+         int number, yaml_token_type_t type, yaml_mark_t mark);
+ 
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
++
++static int
++yaml_parser_reset_indent(yaml_parser_t *parser);
+ 
+ /*
+  * Token fetchers.
+@@ -1206,7 +1209,7 @@
+  */
+ 
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
++yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
+         int number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+     yaml_token_t token;
+@@ -1216,7 +1219,7 @@
+     if (parser->flow_level)
+         return 1;
+ 
+-    if (parser->indent < column)
++    if (parser->indent == -1 || parser->indent < column)
+     {
+         /*
+          * Push the current indentation level to the stack and set the new
+@@ -1254,7 +1257,7 @@
+ 
+ 
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
+ {
+     yaml_token_t token;
+ 
+@@ -1263,6 +1266,15 @@
+     if (parser->flow_level)
+         return 1;
+ 
++    /*
++     * column is unsigned and parser->indent is signed, so if
++     * parser->indent is less than zero the conditional in the while
++     * loop below is incorrect.  Guard against that.
++     */
++    
++    if (parser->indent < 0)
++        return 1;
++
+     /* Loop through the intendation levels in the stack. */
+ 
+     while (parser->indent > column)
+@@ -1283,6 +1295,41 @@
+ }
+ 
+ /*
++ * Pop indentation levels from the indents stack until the current
++ * level resets to -1.  For each intendation level, append the
++ * BLOCK-END token.
++ */
++
++static int
++yaml_parser_reset_indent(yaml_parser_t *parser)
++{
++    yaml_token_t token;
++
++    /* In the flow context, do nothing. */
++
++    if (parser->flow_level)
++        return 1;
++
++    /* Loop through the intendation levels in the stack. */
++
++    while (parser->indent > -1)
++    {
++        /* Create a token and append it to the queue. */
++
++        TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
++
++        if (!ENQUEUE(parser, parser->tokens, token))
++            return 0;
++
++        /* Pop the indentation level. */
++
++        parser->indent = POP(parser, parser->indents);
++    }
++
++    return 1;
++}
++
++/*
+  * Initialize the scanner and produce the STREAM-START token.
+  */
+ 
+@@ -1338,7 +1385,7 @@
+ 
+     /* Reset the indentation level. */
+ 
+-    if (!yaml_parser_unroll_indent(parser, -1))
++    if (!yaml_parser_reset_indent(parser))
+         return 0;
+ 
+     /* Reset simple keys. */
+@@ -1369,7 +1416,7 @@
+ 
+     /* Reset the indentation level. */
+ 
+-    if (!yaml_parser_unroll_indent(parser, -1))
++    if (!yaml_parser_reset_indent(parser))
+         return 0;
+ 
+     /* Reset simple keys. */
+@@ -1407,7 +1454,7 @@
+ 
+     /* Reset the indentation level. */
+ 
+-    if (!yaml_parser_unroll_indent(parser, -1))
++    if (!yaml_parser_reset_indent(parser))
+         return 0;
+ 
+     /* Reset simple keys. */
diff --git a/libyaml-CVE-2013-6393-node-id-hardening.patch b/libyaml-CVE-2013-6393-node-id-hardening.patch
new file mode 100644
index 0000000..364264b
--- /dev/null
+++ b/libyaml-CVE-2013-6393-node-id-hardening.patch
@@ -0,0 +1,25 @@
+# HG changeset patch
+# User Florian Weimer <fweimer@redhat.com>
+# Date 1389274355 -3600
+#      Thu Jan 09 14:32:35 2014 +0100
+# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
+# Parent  a54d7af707f25dc298a7be60fd152001d2b3035b
+yaml_stack_extend: guard against integer overflow
+
+diff --git a/src/api.c b/src/api.c
+--- a/src/api.c
++++ b/src/api.c
+@@ -117,7 +117,12 @@
+ YAML_DECLARE(int)
+ yaml_stack_extend(void **start, void **top, void **end)
+ {
+-    void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
++    void *new_start;
++
++    if ((char *)*end - (char *)*start >= INT_MAX / 2)
++	return 0;
++
++    new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+ 
+     if (!new_start) return 0;
+ 
diff --git a/libyaml-CVE-2013-6393-string-overflow.patch b/libyaml-CVE-2013-6393-string-overflow.patch
new file mode 100644
index 0000000..df63474
--- /dev/null
+++ b/libyaml-CVE-2013-6393-string-overflow.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Florian Weimer <fweimer@redhat.com>
+# Date 1389273500 -3600
+#      Thu Jan 09 14:18:20 2014 +0100
+# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
+# Parent  3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
+yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
+
+diff --git a/src/scanner.c b/src/scanner.c
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -2574,7 +2574,7 @@
+ 
+     /* Resize the string to include the head. */
+ 
+-    while (string.end - string.start <= (int)length) {
++    while ((size_t)(string.end - string.start) <= length) {
+         if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
+             parser->error = YAML_MEMORY_ERROR;
+             goto error;
diff --git a/libyaml.spec b/libyaml.spec
index c8b0495..e5db913 100644
--- a/libyaml.spec
+++ b/libyaml.spec
@@ -4,7 +4,7 @@
 
 Name:       libyaml
 Version:    0.1.4
-Release:    5%{?dist}
+Release:    6%{?dist}
 Summary:    YAML 1.1 parser and emitter written in C
 
 Group:      System Environment/Libraries
@@ -13,6 +13,11 @@ URL:        http://pyyaml.org/
 Source0:    http://pyyaml.org/download/libyaml/%{tarballname}-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+# CVE-2013-6393
+# https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Patch0:     libyaml-CVE-2013-6393-string-overflow.patch
+Patch1:     libyaml-CVE-2013-6393-node-id-hardening.patch
+Patch2:     libyaml-CVE-2013-6393-indent-column-overflow-v2.patch
 
 %description
 YAML is a data serialization format designed for human readability and
@@ -33,7 +38,9 @@ developing applications that use LibYAML.
 
 %prep
 %setup -q -n %{tarballname}-%{version}
-
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -75,6 +82,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Wed Jan 29 2014 John Eckersberg <jeckersb@redhat.com> - 0.1.4-6
+- Add patches for CVE-2013-6393 (bz1033990)
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild