Update to 0.54
- New upstream release 0.54
- Fix for an edge case in scanner that results in an assert() failing
(https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure)
- Drop upstreamed patches for CVE-2013-6393 and CVE-2014-2525
This commit is contained in:
Paul Howarth
parent
d1009bb022
commit
b6c7bcd356
@ -1,177 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Kirill Simonov <xi@resolvent.net>
|
||||
# Date 1391406104 21600
|
||||
# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
|
||||
# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f
|
||||
Guard against overflows in indent and flow_level.
|
||||
|
||||
--- LibYAML/scanner.c
|
||||
+++ LibYAML/scanner.c
|
||||
@@ -615,11 +615,11 @@
|
||||
*/
|
||||
|
||||
static int
|
||||
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
||||
- int number, yaml_token_type_t type, yaml_mark_t mark);
|
||||
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
|
||||
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
|
||||
|
||||
static int
|
||||
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
|
||||
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
|
||||
|
||||
/*
|
||||
* Token fetchers.
|
||||
@@ -1103,7 +1103,7 @@
|
||||
*/
|
||||
|
||||
int required = (!parser->flow_level
|
||||
- && parser->indent == (int)parser->mark.column);
|
||||
+ && parser->indent == (ptrdiff_t)parser->mark.column);
|
||||
|
||||
/*
|
||||
* A simple key is required only when it is the first token in the current
|
||||
@@ -1176,6 +1176,9 @@
|
||||
|
||||
/* Increase the flow level. */
|
||||
|
||||
+ if (parser->flow_level == INT_MAX)
|
||||
+ return 0;
|
||||
+
|
||||
parser->flow_level++;
|
||||
|
||||
return 1;
|
||||
@@ -1206,8 +1209,8 @@
|
||||
*/
|
||||
|
||||
static int
|
||||
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
||||
- int number, yaml_token_type_t type, yaml_mark_t mark)
|
||||
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
|
||||
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
|
||||
{
|
||||
yaml_token_t token;
|
||||
|
||||
@@ -1226,6 +1229,9 @@
|
||||
if (!PUSH(parser, parser->indents, parser->indent))
|
||||
return 0;
|
||||
|
||||
+ if (column > INT_MAX)
|
||||
+ return 0;
|
||||
+
|
||||
parser->indent = column;
|
||||
|
||||
/* Create a token and insert it into the queue. */
|
||||
@@ -1254,7 +1260,7 @@
|
||||
|
||||
|
||||
static int
|
||||
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
|
||||
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
|
||||
{
|
||||
yaml_token_t token;
|
||||
|
||||
--- LibYAML/yaml_private.h
|
||||
+++ LibYAML/yaml_private.h
|
||||
@@ -7,6 +7,7 @@
|
||||
|
||||
#include <assert.h>
|
||||
#include <limits.h>
|
||||
+#include <stddef.h>
|
||||
|
||||
/*
|
||||
* Memory management.
|
||||
# HG changeset patch
|
||||
# User Kirill Simonov <xi@resolvent.net>
|
||||
# Date 1391409843 21600
|
||||
# Node ID af3599437a87162554787c52d8b16eab553f537b
|
||||
# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
|
||||
Forgot to set the error state.
|
||||
|
||||
--- LibYAML/scanner.c
|
||||
+++ LibYAML/scanner.c
|
||||
@@ -1176,8 +1176,10 @@
|
||||
|
||||
/* Increase the flow level. */
|
||||
|
||||
- if (parser->flow_level == INT_MAX)
|
||||
+ if (parser->flow_level == INT_MAX) {
|
||||
+ parser->error = YAML_MEMORY_ERROR;
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
parser->flow_level++;
|
||||
|
||||
@@ -1229,8 +1231,10 @@
|
||||
if (!PUSH(parser, parser->indents, parser->indent))
|
||||
return 0;
|
||||
|
||||
- if (column > INT_MAX)
|
||||
+ if (column > INT_MAX) {
|
||||
+ parser->error = YAML_MEMORY_ERROR;
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
parser->indent = column;
|
||||
|
||||
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
|
||||
This is a hardening patch also from Florian Weimer
|
||||
<fweimer@redhat.com>. It is not required to fix this CVE however it
|
||||
improves the robustness of the code against future issues by avoiding
|
||||
large node ID's in a central place.
|
||||
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
||||
Last-Update: 2014-01-29
|
||||
---
|
||||
# HG changeset patch
|
||||
# User Florian Weimer <fweimer@redhat.com>
|
||||
# Date 1389274355 -3600
|
||||
# Thu Jan 09 14:32:35 2014 +0100
|
||||
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
|
||||
# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
|
||||
yaml_stack_extend: guard against integer overflow
|
||||
|
||||
--- LibYAML/api.c
|
||||
+++ LIBYAML/api.c
|
||||
@@ -117,7 +117,12 @@
|
||||
YAML_DECLARE(int)
|
||||
yaml_stack_extend(void **start, void **top, void **end)
|
||||
{
|
||||
- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
||||
+ void *new_start;
|
||||
+
|
||||
+ if ((char *)*end - (char *)*start >= INT_MAX / 2)
|
||||
+ return 0;
|
||||
+
|
||||
+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
||||
|
||||
if (!new_start) return 0;
|
||||
|
||||
Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
||||
This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
|
||||
the string overflow issue. It has been ack'd by upstream.
|
||||
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
||||
Last-Update: 2014-01-29
|
||||
---
|
||||
# HG changeset patch
|
||||
# User Florian Weimer <fweimer@redhat.com>
|
||||
# Date 1389273500 -3600
|
||||
# Thu Jan 09 14:18:20 2014 +0100
|
||||
# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
|
||||
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
|
||||
yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
||||
|
||||
--- LibYAML/scanner.c
|
||||
+++ LibYAML/scanner.c
|
||||
@@ -2621,7 +2621,7 @@
|
||||
|
||||
/* Resize the string to include the head. */
|
||||
|
||||
- while (string.end - string.start <= (int)length) {
|
||||
+ while ((size_t)(string.end - string.start) <= length) {
|
||||
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
|
||||
parser->error = YAML_MEMORY_ERROR;
|
||||
goto error;
|
||||
@ -1,38 +0,0 @@
|
||||
Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
|
||||
The heap overflow is caused by not properly expanding a string before
|
||||
writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
|
||||
|
||||
Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
|
||||
Author: Salvatore Bonaccorso <carnil@debian.org>
|
||||
Last-Update: 2014-03-20
|
||||
Applied-Upstream: 0.1.6
|
||||
|
||||
--- LibYAML/scanner.c
|
||||
+++ LibYAML/scanner.c
|
||||
@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
|
||||
/* Check if it is a URI-escape sequence. */
|
||||
|
||||
if (CHECK(parser->buffer, '%')) {
|
||||
+ if (!STRING_EXTEND(parser, string))
|
||||
+ goto error;
|
||||
+
|
||||
if (!yaml_parser_scan_uri_escapes(parser,
|
||||
directive, start_mark, &string)) goto error;
|
||||
}
|
||||
--- LibYAML/yaml_private.h
|
||||
+++ LibYAML/yaml_private.h
|
||||
@@ -132,9 +132,12 @@ yaml_string_join(
|
||||
(string).start = (string).pointer = (string).end = 0)
|
||||
|
||||
#define STRING_EXTEND(context,string) \
|
||||
- (((string).pointer+5 < (string).end) \
|
||||
+ ((((string).pointer+5 < (string).end) \
|
||||
|| yaml_string_extend(&(string).start, \
|
||||
- &(string).pointer, &(string).end))
|
||||
+ &(string).pointer, &(string).end)) ? \
|
||||
+ 1 : \
|
||||
+ ((context)->error = YAML_MEMORY_ERROR, \
|
||||
+ 0))
|
||||
|
||||
#define CLEAR(context,string) \
|
||||
((string).pointer = (string).start, \
|
||||
@ -1,14 +1,12 @@
|
||||
Name: perl-YAML-LibYAML
|
||||
Version: 0.52
|
||||
Release: 3%{?dist}
|
||||
Version: 0.54
|
||||
Release: 1%{?dist}
|
||||
Summary: Perl YAML Serialization using XS and libyaml
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/YAML-LibYAML/
|
||||
Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
|
||||
Patch0: YAML-LibYAML-0.51-format-error.patch
|
||||
Patch1: YAML-LibYAML-0.41-CVE-2014-2525.patch
|
||||
Patch2: YAML-LibYAML-0.41-CVE-2013-6393.patch
|
||||
|
||||
# Install
|
||||
BuildRequires: perl
|
||||
@ -57,12 +55,6 @@ bound to Python and was later bound to Ruby.
|
||||
# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
|
||||
%patch0
|
||||
|
||||
# Fix LibYAML input sanitization errors (CVE-2014-2525)
|
||||
%patch1
|
||||
|
||||
# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
|
||||
%patch2
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
|
||||
make %{?_smp_mflags}
|
||||
@ -81,11 +73,17 @@ make test
|
||||
%doc Changes CONTRIBUTING README
|
||||
%{perl_vendorarch}/auto/YAML/
|
||||
%{perl_vendorarch}/YAML/
|
||||
%{_mandir}/man3/YAML::LibYAML.3pm*
|
||||
%{_mandir}/man3/YAML::XS.3pm*
|
||||
%{_mandir}/man3/YAML::XS::LibYAML.3pm*
|
||||
%{_mandir}/man3/YAML::LibYAML.3*
|
||||
%{_mandir}/man3/YAML::XS.3*
|
||||
%{_mandir}/man3/YAML::XS::LibYAML.3*
|
||||
|
||||
%changelog
|
||||
* Sun Nov 30 2014 Paul Howarth <paul@city-fan.org> - 0.54-1
|
||||
- Update to 0.54
|
||||
- Fix for an edge case in scanner that results in an assert() failing
|
||||
(https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure)
|
||||
- Drop upstreamed patches for CVE-2013-6393 and CVE-2014-2525
|
||||
|
||||
* Tue Nov 18 2014 Jitka Plesnikova <jplesnik@redhat.com> - 0.52-3
|
||||
- Update BRs (bz#1165198)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user