Skip to content

Commit

Permalink
libyaml: fix cve-2014-1930
Browse files Browse the repository at this point in the history
  • Loading branch information
Vinay Kulkarni authored and Sharath George committed Aug 15, 2015
1 parent 1b77dd1 commit 7940b25
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 1 deletion.
28 changes: 28 additions & 0 deletions SPECS/libyaml/cve-2014-9130.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
From e6aa721cc0e5a48f408c52355559fd36780ba32a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>
Date: Fri, 28 Nov 2014 09:21:49 -0800
Subject: [PATCH] Fix for https://bitbucket.org/xi/libyaml/issue/10/

https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure

Commenting out the assert makes the scanner do the right thing and
results in just a simple parse failure.
---
src/scanner.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/scanner.c b/src/scanner.c
index 88d4fa5..c5f3d2f 100644
--- a/src/scanner.c
+++ b/src/scanner.c
@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser)
* line. Therefore it is always allowed. But we add a check anyway.
*/

- assert(parser->simple_key_allowed || !required); /* Impossible. */
+ /* XXX This caused:
+ * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+ assert(parser->simple_key_allowed || !required); */ /* Impossible. */

/*
* If the current position may start a simple key, save it.
6 changes: 5 additions & 1 deletion SPECS/libyaml/libyaml.spec
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
Summary: Implementation of a YAML 1.1 parser and emitter
Name: libyaml
Version: 0.1.6
Release: 1%{?dist}
Release: 2%{?dist}
License: MIT/X Consortium
Group: Development/Libraries
URL: http://pyyaml.org/wiki/LibYAML

Source0: http://pyyaml.org/download/libyaml/yaml-%{version}.tar.gz
%define sha1 yaml=f3d404e11bec3c4efcddfd14c42d46f1aabe0b5d
Patch0: cve-2014-9130.patch

%description
LibYAML is a C library implementation of a YAML 1.1 parser and emitter.
Expand All @@ -25,6 +26,7 @@ you will need to install %{name}-devel.

%prep
%setup -n yaml-%{version}
%patch0 -p1

%build
%configure --disable-static
Expand Down Expand Up @@ -53,5 +55,7 @@ you will need to install %{name}-devel.
%exclude %{_libdir}/*.la

%changelog
* Fri Aug 14 2015 Vinay Kulkarni <kulkarniv@vmware.com> 0.1.6-2
- Fix cve-2014-9130.
* Mon Apr 6 2015 Divya Thaluru <dthaluru@vmware.com> 0.1.6-1
- Initial package for Photon.

0 comments on commit 7940b25

Please sign in to comment.