Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531340 (CVE-2014-9130) - <dev-libs/libyaml-0.1.7: assert failure when processing wrapped strings (CVE-2014-9130)
Summary: <dev-libs/libyaml-0.1.7: assert failure when processing wrapped strings (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2014-9130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-01 13:41 UTC by Agostino Sarubbo
Modified: 2017-01-24 07:53 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/libyaml-0.1.7
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-01 13:41:25 UTC
From ${URL} :

An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker 
able to load specially crafted YAML input into an application using libyaml could cause the 
application to crash.

This issue was reported upstream at [1]; a patch that fixes this issue is available at [2].

[1] https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
[2] https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-01 21:07:54 UTC
CVE-2014-9130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9130):
  scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka
  YAML-XS) module for Perl, allows context-dependent attackers to cause a
  denial of service (assertion failure and crash) via vectors involving
  line-wrapping.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-23 00:43:30 UTC
This was fixed via https://github.com/yaml/libyaml/commit/946596172d140497b560e016e581accb0a92cca4 which was first released with v0.1.7.


@ Arches,

please test and mark stable: =dev-libs/libyaml-0.1.7
Comment 3 Tobias Klausmann gentoo-dev 2016-11-23 18:01:47 UTC
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-25 18:28:37 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-25 18:55:26 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-11-29 17:31:46 UTC
arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-07 09:44:30 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:25 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:08 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:37 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:03:37 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-24 07:53:43 UTC
tree is clean

GLSA Vote: No