Debian has issued an advisory on March 8: http://www.debian.org/security/2014/dsa-2870 This is the same issue we (and others) fixed in libyaml in Bug 12583. Debian issued this advisory because they have an embedded copy of libyaml in their perl YAML package. If we do as well, we'll need to patch it for the security issue, or better yet, to use system libyaml if possible. Reproducible: Steps to Reproduce:
CC: (none) => thomas
The embedded copy of libyaml is in perl-YAML-LibYAML, not perl-YAML (a pure-perl implementation). Package patched for cauldron, mga4 and mga3. Packages currently building, should be available soon in core/updates_testing of the relevant mageia version (except cauldron of course).
CC: (none) => jquelinAssignee: jquelin => qa-bugsSource RPM: perl-YAML-0.900.0-1.mga5.src.rpm => perl-YAML-LibYAML
Thanks Jerome! It's hard to tell with Debian's strange package names :o) Advisory: ======================== Updated perl-YAML-LibYAML packages fix security vulnerabilities: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2013-6393). The perl-YAML-LibYAML package is being updated as it contains an embedded copy of LibYAML. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393 http://www.debian.org/security/2014/dsa-2870 ======================== Updated packages in core/updates_testing: ======================== perl-YAML-LibYAML-0.380.0-3.1.mga3 perl-YAML-LibYAML-0.410.0-2.1.mga4 from SRPMS: perl-YAML-LibYAML-0.380.0-3.1.mga3.src.rpm perl-YAML-LibYAML-0.410.0-2.1.mga4.src.rpm
Version: Cauldron => 4Summary: perl-YAML new security issue CVE-2013-6393 => perl-YAML-LibYAML new security issue CVE-2013-6393Whiteboard: (none) => MGA3TOO
For the reference, it seems to me that debian names its perl package like that: lib<name>-<of>-<the>-<dist>-perl in lowercase (where mageia uses perl-<name>-<of>-<the>-<dist>) So for upstream dist YAML-LibYAML, you get: - mageia: perl-YAML-LibYAML - debian: libyaml-libyaml-perl (yeah, that's ugly) hth, Jérôme
CC: (none) => davidwhodginsWhiteboard: MGA3TOO => MGA3TOO advisory
It may also be affected by CVE-2014-2525: http://openwall.com/lists/oss-security/2014/03/26/12 Jerome, could you look into it? The libyaml commit to fix it is linked there.
Whiteboard: MGA3TOO advisory => MGA3TOO advisory feedback
It is indeed affected. Debian has issued an advisory for this on March 26: http://www.debian.org/security/2014/dsa-2885 from http://lwn.net/Vulnerabilities/592273/
CC: (none) => qa-bugsAssignee: qa-bugs => jquelinWhiteboard: MGA3TOO advisory feedback => MGA3TOO
package up to date in cauldron, and following packages pushed to core/updates_testing: - perl-YAML-LibYAML-0.380.0-3.2.mga3 - perl-YAML-LibYAML-0.410.0-2.2.mga4 please validate & push.
Assignee: jquelin => qa-bugs
Thanks Jerome! Advisory: ======================== Updated perl-YAML-LibYAML packages fix security vulnerabilities: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2013-6393). Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2014-2525). The perl-YAML-LibYAML package is being updated as it contains an embedded copy of LibYAML. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525 http://www.debian.org/security/2014/dsa-2870 http://www.debian.org/security/2014/dsa-2885 ======================== Updated packages in core/updates_testing: ======================== perl-YAML-LibYAML-0.380.0-3.2.mga3 perl-YAML-LibYAML-0.410.0-2.2.mga4 from SRPMS: perl-YAML-LibYAML-0.380.0-3.2.mga3.src.rpm perl-YAML-LibYAML-0.410.0-2.2.mga4.src.rpm
CC: qa-bugs => (none)
Summary: perl-YAML-LibYAML new security issue CVE-2013-6393 => perl-YAML-LibYAML new security issues CVE-2013-6393 and CVE-2014-2525
Advisory uploaded.
Whiteboard: MGA3TOO => MGA3TOO advisory
Created attachment 5090 [details] The bash script with the test procedure. This is the test procedure I created for the bug that just downloads and runs the test suite from the YAML-LibYAML distribution. It is mostly automated. I tested it on Mageia 4 x86-64. Regards, -- Shlomi Fish
CC: (none) => shlomif
Add mga-4-ok and has_procedure.
Whiteboard: MGA3TOO advisory => MGA3TOO advisory mga4-64-ok has_procedure
Mga-4-32 is OK too.
Whiteboard: MGA3TOO advisory mga4-64-ok has_procedure => MGA3TOO advisory mga4-64-ok mga4-32-ok has_procedure
Testing complete mga3 32 mga3 32 shows this, which looks to be due to the older version, it seems to be looking at a changelog and finding 0.41 but the system has version 0.38. t/changes.t .......... 1/5 # Failed test 'There are 37 Changes entries' # at t/changes.t line 12. # Failed test 'Changes file is up to date with current YAML::XS::VERSION' # at t/changes.t line 14. # got: '0.41' # expected: '0.38' # Looks like you failed 2 tests of 5. t/changes.t .......... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/5 subtests All other tests pass OK.
Whiteboard: MGA3TOO advisory mga4-64-ok mga4-32-ok has_procedure => MGA3TOO advisory mga3-32-ok mga4-64-ok mga4-32-ok has_procedure
Testing complete mga3 64. Thanks for the procedure Shlomi! Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO advisory mga3-32-ok mga4-64-ok mga4-32-ok has_procedure => MGA3TOO advisory has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok has_procedureCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0154.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED