Bug 12984 - perl-YAML-LibYAML new security issues CVE-2013-6393 and CVE-2014-2525
: perl-YAML-LibYAML new security issues CVE-2013-6393 and CVE-2014-2525
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/583997/
: MGA3TOO advisory has_procedure mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-10 16:37 CET by David Walser
Modified: 2014-04-03 03:02 CEST (History)
6 users (show)

See Also:
Source RPM: perl-YAML-LibYAML
CVE:
Status comment:


Attachments
The bash script with the test procedure. (531 bytes, application/octet-stream)
2014-04-02 17:59 CEST, Shlomi Fish
Details

Description David Walser 2014-03-10 16:37:48 CET
Debian has issued an advisory on March 8:
http://www.debian.org/security/2014/dsa-2870

This is the same issue we (and others) fixed in libyaml in Bug 12583.

Debian issued this advisory because they have an embedded copy of libyaml in their perl YAML package.  If we do as well, we'll need to patch it for the security issue, or better yet, to use system libyaml if possible.

Reproducible: 

Steps to Reproduce:
Comment 1 Jerome Quelin 2014-03-11 09:03:55 CET
The embedded copy of libyaml is in perl-YAML-LibYAML, not perl-YAML (a pure-perl implementation).

Package patched for cauldron, mga4 and mga3.

Packages currently building, should be available soon in core/updates_testing of the relevant mageia version (except cauldron of course).
Comment 2 David Walser 2014-03-11 12:44:47 CET
Thanks Jerome!

It's hard to tell with Debian's strange package names :o)

Advisory:
========================

Updated perl-YAML-LibYAML packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

The perl-YAML-LibYAML package is being updated as it contains an embedded copy
of LibYAML.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.debian.org/security/2014/dsa-2870
========================

Updated packages in core/updates_testing:
========================
perl-YAML-LibYAML-0.380.0-3.1.mga3
perl-YAML-LibYAML-0.410.0-2.1.mga4

from SRPMS:
perl-YAML-LibYAML-0.380.0-3.1.mga3.src.rpm
perl-YAML-LibYAML-0.410.0-2.1.mga4.src.rpm
Comment 3 Jerome Quelin 2014-03-11 13:35:27 CET
For the reference, it seems to me that debian names its perl package like that:
lib<name>-<of>-<the>-<dist>-perl in lowercase (where mageia uses perl-<name>-<of>-<the>-<dist>)

So for upstream dist YAML-LibYAML, you get:
- mageia: perl-YAML-LibYAML
- debian: libyaml-libyaml-perl (yeah, that's ugly)

hth, Jérôme
Comment 4 David Walser 2014-03-27 13:50:05 CET
It may also be affected by CVE-2014-2525:
http://openwall.com/lists/oss-security/2014/03/26/12

Jerome, could you look into it?  The libyaml commit to fix it is linked there.
Comment 5 David Walser 2014-03-27 18:21:11 CET
It is indeed affected.  Debian has issued an advisory for this on March 26:
http://www.debian.org/security/2014/dsa-2885

from http://lwn.net/Vulnerabilities/592273/
Comment 6 Jerome Quelin 2014-03-31 09:48:50 CEST
package up to date in cauldron, and following packages pushed to core/updates_testing: 
- perl-YAML-LibYAML-0.380.0-3.2.mga3
- perl-YAML-LibYAML-0.410.0-2.2.mga4

please validate & push.
Comment 7 David Walser 2014-03-31 15:25:01 CEST
Thanks Jerome!

Advisory:
========================

Updated perl-YAML-LibYAML packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2014-2525).

The perl-YAML-LibYAML package is being updated as it contains an embedded copy
of LibYAML.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
http://www.debian.org/security/2014/dsa-2870
http://www.debian.org/security/2014/dsa-2885
========================

Updated packages in core/updates_testing:
========================
perl-YAML-LibYAML-0.380.0-3.2.mga3
perl-YAML-LibYAML-0.410.0-2.2.mga4

from SRPMS:
perl-YAML-LibYAML-0.380.0-3.2.mga3.src.rpm
perl-YAML-LibYAML-0.410.0-2.2.mga4.src.rpm
Comment 8 claire robinson 2014-04-02 17:42:41 CEST
Advisory uploaded.
Comment 9 Shlomi Fish 2014-04-02 17:59:40 CEST
Created attachment 5090 [details]
The bash script with the test procedure.

This is the test procedure I created for the bug that just downloads and runs the test suite from the YAML-LibYAML distribution. It is mostly automated. I tested it on Mageia 4 x86-64. 

Regards,

-- Shlomi Fish
Comment 10 Shlomi Fish 2014-04-02 18:00:34 CEST
Add mga-4-ok and has_procedure.
Comment 11 Shlomi Fish 2014-04-02 18:06:17 CEST
Mga-4-32 is OK too.
Comment 12 claire robinson 2014-04-02 18:11:53 CEST
Testing complete mga3 32

mga3 32 shows this, which looks to be due to the older version, it seems to be looking at a changelog and finding 0.41 but the system has version 0.38.

t/changes.t .......... 1/5 
#   Failed test 'There are 37 Changes entries'
#   at t/changes.t line 12.

#   Failed test 'Changes file is up to date with current YAML::XS::VERSION'
#   at t/changes.t line 14.
#          got: '0.41'
#     expected: '0.38'
# Looks like you failed 2 tests of 5.
t/changes.t .......... Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/5 subtests 


All other tests pass OK.
Comment 13 claire robinson 2014-04-02 18:25:46 CEST
Testing complete mga3 64.

Thanks for the procedure Shlomi!

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 14 Damien Lallement 2014-04-03 03:02:47 CEST
http://advisories.mageia.org/MGASA-2014-0154.html

Note You need to log in before you can comment on or make changes to this bug.