commit 2e17fd3f16300ddd36d5bf1664bd6eee50a8494e Author: Paul Howarth <paul@xxxxxxxxxxxx> Date: Thu Mar 27 13:52:30 2014 +0000 Add fixes for CVE-2013-6393 and CVE-2014-2525 - Fix LibYAML input sanitization errors (CVE-2014-2525) - Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) YAML-LibYAML-0.38-CVE-2013-6393.patch | 105 +++++++++++++++++++++++++++++++++ YAML-LibYAML-0.38-CVE-2014-2525.patch | 38 ++++++++++++ perl-YAML-LibYAML.spec | 16 +++++- 3 files changed, 157 insertions(+), 2 deletions(-) --- diff --git a/YAML-LibYAML-0.38-CVE-2013-6393.patch b/YAML-LibYAML-0.38-CVE-2013-6393.patch new file mode 100644 index 0000000..61186cb --- /dev/null +++ b/YAML-LibYAML-0.38-CVE-2013-6393.patch @@ -0,0 +1,105 @@ +--- LibYAML/api.c ++++ LibYAML/api.c +@@ -117,7 +117,12 @@ yaml_string_join( + YAML_DECLARE(int) + yaml_stack_extend(void **start, void **top, void **end) + { +- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); ++ void *new_start; ++ ++ if ((char *)*end - (char *)*start >= INT_MAX / 2) ++ return 0; ++ ++ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); + + if (!new_start) return 0; + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -615,11 +615,11 @@ yaml_parser_decrease_flow_level(yaml_par + */ + + static int +-yaml_parser_roll_indent(yaml_parser_t *parser, int column, +- int number, yaml_token_type_t type, yaml_mark_t mark); ++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, ++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark); + + static int +-yaml_parser_unroll_indent(yaml_parser_t *parser, int column); ++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column); + + /* + * Token fetchers. +@@ -1103,7 +1103,7 @@ yaml_parser_save_simple_key(yaml_parser_ + */ + + int required = (!parser->flow_level +- && parser->indent == (int)parser->mark.column); ++ && parser->indent == (ptrdiff_t)parser->mark.column); + + /* + * A simple key is required only when it is the first token in the current +@@ -1174,6 +1174,11 @@ yaml_parser_increase_flow_level(yaml_par + + /* Increase the flow level. */ + ++ if (parser->flow_level == INT_MAX) { ++ parser->error = YAML_MEMORY_ERROR; ++ return 0; ++ } ++ + parser->flow_level++; + + return 1; +@@ -1204,8 +1209,8 @@ yaml_parser_decrease_flow_level(yaml_par + */ + + static int +-yaml_parser_roll_indent(yaml_parser_t *parser, int column, +- int number, yaml_token_type_t type, yaml_mark_t mark) ++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, ++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark) + { + yaml_token_t token; + +@@ -1224,6 +1229,11 @@ yaml_parser_roll_indent(yaml_parser_t *p + if (!PUSH(parser, parser->indents, parser->indent)) + return 0; + ++ if (column > INT_MAX) { ++ parser->error = YAML_MEMORY_ERROR; ++ return 0; ++ } ++ + parser->indent = column; + + /* Create a token and insert it into the queue. */ +@@ -1252,7 +1262,7 @@ yaml_parser_roll_indent(yaml_parser_t *p + + + static int +-yaml_parser_unroll_indent(yaml_parser_t *parser, int column) ++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column) + { + yaml_token_t token; + +@@ -2572,7 +2582,7 @@ yaml_parser_scan_tag_uri(yaml_parser_t * + + /* Resize the string to include the head. */ + +- while (string.end - string.start <= (int)length) { ++ while ((size_t)(string.end - string.start) <= length) { + if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { + parser->error = YAML_MEMORY_ERROR; + goto error; +--- LibYAML/yaml_private.h ++++ LibYAML/yaml_private.h +@@ -7,6 +7,7 @@ + + #include <assert.h> + #include <limits.h> ++#include <stddef.h> + + /* + * Memory management. diff --git a/YAML-LibYAML-0.38-CVE-2014-2525.patch b/YAML-LibYAML-0.38-CVE-2014-2525.patch new file mode 100644 index 0000000..8dfa5b0 --- /dev/null +++ b/YAML-LibYAML-0.38-CVE-2014-2525.patch @@ -0,0 +1,38 @@ +Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes + The heap overflow is caused by not properly expanding a string before + writing to it in function yaml_parser_scan_uri_escapes in scanner.c. + +Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 +Author: Salvatore Bonaccorso <carnil@xxxxxxxxxx> +Last-Update: 2014-03-20 +Applied-Upstream: 0.1.6 + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -2617,6 +2617,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t * + /* Check if it is a URI-escape sequence. */ + + if (CHECK(parser->buffer, '%')) { ++ if (!STRING_EXTEND(parser, string)) ++ goto error; ++ + if (!yaml_parser_scan_uri_escapes(parser, + directive, start_mark, &string)) goto error; + } +--- LibYAML/yaml_private.h ++++ LibYAML/yaml_private.h +@@ -127,9 +127,12 @@ yaml_string_join( + (string).start = (string).pointer = (string).end = 0) + + #define STRING_EXTEND(context,string) \ +- (((string).pointer+5 < (string).end) \ ++ ((((string).pointer+5 < (string).end) \ + || yaml_string_extend(&(string).start, \ +- &(string).pointer, &(string).end)) ++ &(string).pointer, &(string).end)) ? \ ++ 1 : \ ++ ((context)->error = YAML_MEMORY_ERROR, \ ++ 0)) + + #define CLEAR(context,string) \ + ((string).pointer = (string).start, \ diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec index 28a77e1..f069d96 100644 --- a/perl-YAML-LibYAML.spec +++ b/perl-YAML-LibYAML.spec @@ -1,12 +1,14 @@ Name: perl-YAML-LibYAML Version: 0.38 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Perl YAML Serialization using XS and libyaml License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/YAML-LibYAML/ Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz Patch0: YAML-LibYAML-0.35-format-error.patch +Patch1: YAML-LibYAML-0.38-CVE-2014-2525.patch +Patch2: YAML-LibYAML-0.38-CVE-2013-6393.patch # Install BuildRequires: perl(Cwd) @@ -50,6 +52,12 @@ bound to Python and was later bound to Ruby. # Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507) %patch0 -p1 +# Fix LibYAML input sanitization errors (CVE-2014-2525) +%patch1 + +# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) +%patch2 + %build perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" make %{?_smp_mflags} @@ -71,6 +79,10 @@ make test %{_mandir}/man3/YAML::XS::LibYAML.3pm* %changelog +* Thu Mar 27 2014 Paul Howarth <paul@xxxxxxxxxxxx> - 0.38-4 +- Fix LibYAML input sanitization errors (CVE-2014-2525) +- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) + * Mon Jun 11 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 0.38-3 - Perl 5.16 rebuild - Build-require Data::Dumper @@ -109,7 +121,7 @@ make test * Wed Sep 29 2010 jkeating - 0.34-2 - Rebuilt for gcc bug 634757 -* Fri Sep 23 2010 Marcela Mašláňová <mmaslano@xxxxxxxxxx> - 0.34-1 +* Fri Sep 24 2010 Marcela Mašláňová <mmaslano@xxxxxxxxxx> - 0.34-1 - update * Thu Jun 3 2010 Marcela Maslanova <mmaslano@xxxxxxxxxx> - 0.33-1 -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel