Bug 12984

The embedded copy of libyaml is in perl-YAML-LibYAML, not perl-YAML (a pure-perl implementation).

Package patched for cauldron, mga4 and mga3.

Packages currently building, should be available soon in core/updates_testing of the relevant mageia version (except cauldron of course).

CC: (none) => jquelin
Assignee: jquelin => qa-bugs
Source RPM: perl-YAML-0.900.0-1.mga5.src.rpm => perl-YAML-LibYAML

Thanks Jerome!

It's hard to tell with Debian's strange package names :o)

Advisory:
========================

Updated perl-YAML-LibYAML packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

The perl-YAML-LibYAML package is being updated as it contains an embedded copy
of LibYAML.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.debian.org/security/2014/dsa-2870
========================

Updated packages in core/updates_testing:
========================
perl-YAML-LibYAML-0.380.0-3.1.mga3
perl-YAML-LibYAML-0.410.0-2.1.mga4

from SRPMS:
perl-YAML-LibYAML-0.380.0-3.1.mga3.src.rpm
perl-YAML-LibYAML-0.410.0-2.1.mga4.src.rpm

Version: Cauldron => 4
Summary: perl-YAML new security issue CVE-2013-6393 => perl-YAML-LibYAML new security issue CVE-2013-6393
Whiteboard: (none) => MGA3TOO

For the reference, it seems to me that debian names its perl package like that:
lib<name>-<of>-<the>-<dist>-perl in lowercase (where mageia uses perl-<name>-<of>-<the>-<dist>)

So for upstream dist YAML-LibYAML, you get:
- mageia: perl-YAML-LibYAML
- debian: libyaml-libyaml-perl (yeah, that's ugly)

hth, Jérôme

It may also be affected by CVE-2014-2525:
http://openwall.com/lists/oss-security/2014/03/26/12

Jerome, could you look into it?  The libyaml commit to fix it is linked there.

Whiteboard: MGA3TOO advisory => MGA3TOO advisory feedback

It is indeed affected.  Debian has issued an advisory for this on March 26:
http://www.debian.org/security/2014/dsa-2885

from http://lwn.net/Vulnerabilities/592273/

CC: (none) => qa-bugs
Assignee: qa-bugs => jquelin
Whiteboard: MGA3TOO advisory feedback => MGA3TOO

package up to date in cauldron, and following packages pushed to core/updates_testing: 
- perl-YAML-LibYAML-0.380.0-3.2.mga3
- perl-YAML-LibYAML-0.410.0-2.2.mga4

please validate & push.

Assignee: jquelin => qa-bugs

Thanks Jerome!

Advisory:
========================

Updated perl-YAML-LibYAML packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2014-2525).

The perl-YAML-LibYAML package is being updated as it contains an embedded copy
of LibYAML.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
http://www.debian.org/security/2014/dsa-2870
http://www.debian.org/security/2014/dsa-2885
========================

Updated packages in core/updates_testing:
========================
perl-YAML-LibYAML-0.380.0-3.2.mga3
perl-YAML-LibYAML-0.410.0-2.2.mga4

from SRPMS:
perl-YAML-LibYAML-0.380.0-3.2.mga3.src.rpm
perl-YAML-LibYAML-0.410.0-2.2.mga4.src.rpm

CC: qa-bugs => (none)

Advisory uploaded.

Whiteboard: MGA3TOO => MGA3TOO advisory

Created attachment 5090 [details]
The bash script with the test procedure.

This is the test procedure I created for the bug that just downloads and runs the test suite from the YAML-LibYAML distribution. It is mostly automated. I tested it on Mageia 4 x86-64. 

Regards,

-- Shlomi Fish

CC: (none) => shlomif

Add mga-4-ok and has_procedure.

Whiteboard: MGA3TOO advisory => MGA3TOO advisory mga4-64-ok has_procedure

Mga-4-32 is OK too.

Whiteboard: MGA3TOO advisory mga4-64-ok has_procedure => MGA3TOO advisory mga4-64-ok mga4-32-ok has_procedure

Testing complete mga3 32

mga3 32 shows this, which looks to be due to the older version, it seems to be looking at a changelog and finding 0.41 but the system has version 0.38.

t/changes.t .......... 1/5 
#   Failed test 'There are 37 Changes entries'
#   at t/changes.t line 12.

#   Failed test 'Changes file is up to date with current YAML::XS::VERSION'
#   at t/changes.t line 14.
#          got: '0.41'
#     expected: '0.38'
# Looks like you failed 2 tests of 5.
t/changes.t .......... Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/5 subtests 


All other tests pass OK.

Whiteboard: MGA3TOO advisory mga4-64-ok mga4-32-ok has_procedure => MGA3TOO advisory mga3-32-ok mga4-64-ok mga4-32-ok has_procedure

Testing complete mga3 64.

Thanks for the procedure Shlomi!

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO advisory mga3-32-ok mga4-64-ok mga4-32-ok has_procedure => MGA3TOO advisory has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok has_procedure
CC: (none) => sysadmin-bugs

http://advisories.mageia.org/MGASA-2014-0154.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED