Bug 12583 - libyaml new security issue CVE-2013-6393
Summary: libyaml new security issue CVE-2013-6393
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/583997/
Whiteboard: MGA3TOO advisory has_procedure MGA3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-04 22:21 CET by David Walser
Modified: 2014-02-08 20:34 CET (History)
5 users (show)

See Also:
Source RPM: yaml-0.1.4-6.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-04 22:21:53 CET 
Debian has issued an advisory on January 31:
http://www.debian.org/security/2014/dsa-2850

They have patches, as does RedHat in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1033990

which also indicates that these issues are fixed upstream in 0.1.5.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-04 22:22:00 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Thomas Spuhler 2014-02-05 17:52:14 CET

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2014-02-05 18:27:13 CET 
I have uploaded an updated package for Mageia 3/ Mageia 4 and Cauldron.

Advisory:
========================

Updated yaml packages fix security vulnerabilities (CVE-2013-6393):
These are the affected packages:
yaml-0.1.5-1.mga(x).src.rpm
lib64yaml0_2-0.1.5-1.mga
lib64yaml-devel-0.1.5-1.mga
yaml-debuginfo-0.1.5-1.mga

Assignee: thomas => qa-bugs

Comment 2 David Walser 2014-02-05 18:41:39 CET 
Thanks Thomas!

Here's the full advisory.

Advisory:
========================

Updated libyaml packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.debian.org/security/2014/dsa-2850
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.5-1.mga3
libyaml-devel-0.1.5-1.mga3
yaml-debuginfo-0.1.5-1.mga3
libyaml0_2-0.1.5-1.mga4
libyaml-devel-0.1.5-1.mga4
yaml-debuginfo-0.1.5-1.mga4

from SRPMS:
yaml-0.1.5-1.mga3.src.rpm
yaml-0.1.5-1.mga4.src.rpm

CC: (none) => thomas
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Samuel Verschelde 2014-02-06 12:49:41 CET 
libyaml0_2 is used in:

php-yaml
python-yaml
suricata

which in turn are required by:

openerp-server
python-nltk
unknown-horizons
w3af
w3af-gui
weboob

---

Testing mga3 32 bits with php-yaml and php-cli and the example from http://www.php.net/manual/en/yaml.examples.php (put it in a test.php file beginning with "<?php" and execute with "php test.php")

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Samuel Verschelde 2014-02-06 13:00:55 CET 
(In reply to Samuel VERSCHELDE from comment #3)
> libyaml0_2 is used in:
> 
> php-yaml
> python-yaml
> suricata
> 
> which in turn are required by:
> 
> openerp-server
> python-nltk
> unknown-horizons
> w3af
> w3af-gui
> weboob
> 

This list is wrong, I made it from mga2. Actual list is far bigger. Get it with: urpmq --whatrequires-recursive libyaml0_2.
Comment 5 Samuel Verschelde 2014-02-06 13:04:13 CET 
Testing complete mga3 32 and mga4 32 using example from comment #3

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 6 Paul Blackburn 2014-02-07 16:36:39 CET 
starting test on mga3 64

CC: (none) => paul.blackburn

Comment 7 Paul Blackburn 2014-02-07 17:34:17 CET 
On Mageia 3 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/3/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga3.x86_64.rpm

Step-2:
Installed 
urpmi php-yaml php-cli

Step-3:
Created "test.php" from example at http://www.php.net/manual/en/yaml.examples.php

Step-4:
Ran test: php test.php

Step-5:
Compared output from step-4 (above) with output shown at:
http://www.php.net/manual/en/yaml.examples.php

Step-5: confirmed test output same as on example page (step-5).
Samuel Verschelde 2014-02-07 17:35:50 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK

Comment 8 Paul Blackburn 2014-02-07 17:57:00 CET 
starting test on mga4 64
Comment 9 Paul Blackburn 2014-02-07 18:14:09 CET 
On Mageia 4 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/4/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga4.x86_64.rpm

Steps 2,3,4,5 same as in comment 7 (above).

Step-6: confirmed test output same as on example page (step-5).
Samuel Verschelde 2014-02-07 19:34:05 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK

Comment 10 claire robinson 2014-02-08 16:38:10 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-02-08 16:46:15 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO advisory has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK

Comment 11 Thomas Backlund 2014-02-08 20:34:37 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0040.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.