Bug 12583 - libyaml new security issue CVE-2013-6393
: libyaml new security issue CVE-2013-6393
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/583997/
: MGA3TOO advisory has_procedure MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-04 22:21 CET by David Walser
Modified: 2014-02-08 20:34 CET (History)
5 users (show)

See Also:
Source RPM: yaml-0.1.4-6.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-02-04 22:21:53 CET
Debian has issued an advisory on January 31:
http://www.debian.org/security/2014/dsa-2850

They have patches, as does RedHat in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1033990

which also indicates that these issues are fixed upstream in 0.1.5.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2014-02-05 18:27:13 CET
I have uploaded an updated package for Mageia 3/ Mageia 4 and Cauldron.

Advisory:
========================

Updated yaml packages fix security vulnerabilities (CVE-2013-6393):
These are the affected packages:
yaml-0.1.5-1.mga(x).src.rpm
lib64yaml0_2-0.1.5-1.mga
lib64yaml-devel-0.1.5-1.mga
yaml-debuginfo-0.1.5-1.mga
Comment 2 David Walser 2014-02-05 18:41:39 CET
Thanks Thomas!

Here's the full advisory.

Advisory:
========================

Updated libyaml packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.debian.org/security/2014/dsa-2850
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.5-1.mga3
libyaml-devel-0.1.5-1.mga3
yaml-debuginfo-0.1.5-1.mga3
libyaml0_2-0.1.5-1.mga4
libyaml-devel-0.1.5-1.mga4
yaml-debuginfo-0.1.5-1.mga4

from SRPMS:
yaml-0.1.5-1.mga3.src.rpm
yaml-0.1.5-1.mga4.src.rpm
Comment 3 Samuel Verschelde 2014-02-06 12:49:41 CET
libyaml0_2 is used in:

php-yaml
python-yaml
suricata

which in turn are required by:

openerp-server
python-nltk
unknown-horizons
w3af
w3af-gui
weboob

---

Testing mga3 32 bits with php-yaml and php-cli and the example from http://www.php.net/manual/en/yaml.examples.php (put it in a test.php file beginning with "<?php" and execute with "php test.php")
Comment 4 Samuel Verschelde 2014-02-06 13:00:55 CET
(In reply to Samuel VERSCHELDE from comment #3)
> libyaml0_2 is used in:
> 
> php-yaml
> python-yaml
> suricata
> 
> which in turn are required by:
> 
> openerp-server
> python-nltk
> unknown-horizons
> w3af
> w3af-gui
> weboob
> 

This list is wrong, I made it from mga2. Actual list is far bigger. Get it with: urpmq --whatrequires-recursive libyaml0_2.
Comment 5 Samuel Verschelde 2014-02-06 13:04:13 CET
Testing complete mga3 32 and mga4 32 using example from comment #3
Comment 6 Paul Blackburn 2014-02-07 16:36:39 CET
starting test on mga3 64
Comment 7 Paul Blackburn 2014-02-07 17:34:17 CET
On Mageia 3 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/3/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga3.x86_64.rpm

Step-2:
Installed 
urpmi php-yaml php-cli

Step-3:
Created "test.php" from example at http://www.php.net/manual/en/yaml.examples.php

Step-4:
Ran test: php test.php

Step-5:
Compared output from step-4 (above) with output shown at:
http://www.php.net/manual/en/yaml.examples.php

Step-5: confirmed test output same as on example page (step-5).
Comment 8 Paul Blackburn 2014-02-07 17:57:00 CET
starting test on mga4 64
Comment 9 Paul Blackburn 2014-02-07 18:14:09 CET
On Mageia 4 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/4/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga4.x86_64.rpm

Steps 2,3,4,5 same as in comment 7 (above).

Step-6: confirmed test output same as on example page (step-5).
Comment 10 claire robinson 2014-02-08 16:38:10 CET
Advisory uploaded. Validating.

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks
Comment 11 Thomas Backlund 2014-02-08 20:34:37 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0040.html

Note You need to log in before you can comment on or make changes to this bug.