Mageia Bugzilla – Bug 13101
libyaml new security issue CVE-2014-2525
Last modified: 2014-04-03 02:33:55 CEST
Upstream has issued an advisory on March 26:
The issue is fixed upstream in 0.1.6 and the commit is also linked there.
Steps to Reproduce:
Debian has issued an advisory for this on March 26:
fixed in cauldron, mga3 and mga4
uploaded into upgrades_testing, both mga3 and mga4, 32 and 64bit:
Updated libyaml packages fix security vulnerabilities:
Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the
application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application (CVE-2014-2525).
Updated packages in core/updates_testing:
You can find information on how to test this in Bug 12583.
Advisory 13101.adv committed to svn.
Procedure at the end of comment 3 here
Testing complete on Mageia 3 i586 and Mageia 4 i586 using Comment 6.
Testing complete mga3 64 and mga4 64
Output from the example is different in mga3 than it is mga4.
In mga3 it is all on one line showing '\n' instead of creating newlines. There are spaces after the \n's which would create correct indentation if they were on new lines though. It is the same before and after the update so validating.
Advisory previously uploaded.
Could sysadmin please push to 3 & 4 updates