Bug 13101 - libyaml new security issue CVE-2014-2525
Summary: libyaml new security issue CVE-2014-2525
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/592273/
Whiteboard: MGA3TOO advisory has_procedure MGA3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-27 13:52 CET by David Walser
Modified: 2014-04-03 02:33 CEST (History)
4 users (show)

See Also:
Source RPM: yaml-0.1.5-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-27 13:52:03 CET
Upstream has issued an advisory on March 26:
http://openwall.com/lists/oss-security/2014/03/26/12

The issue is fixed upstream in 0.1.6 and the commit is also linked there.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-27 13:52:09 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-27 18:21:34 CET
Debian has issued an advisory for this on March 26:
http://www.debian.org/security/2014/dsa-2884

URL: (none) => http://www.debian.org/security/2014/dsa-2884

David Walser 2014-03-27 18:22:13 CET

URL: http://www.debian.org/security/2014/dsa-2884 => http://lwn.net/Vulnerabilities/592273/

Thomas Spuhler 2014-03-27 19:00:41 CET

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2014-03-27 19:57:42 CET
fixed in cauldron, mga3 and mga4
uploaded into upgrades_testing, both mga3 and mga4, 32 and 64bit:
yaml-0.1.6-1.mga5.src.rpm
lib64yaml0_2-0.1.6-1.mgax.x86_64.rpm
lib64yaml-devel-0.1.6-1.mgax.x86_64.rpm
yaml-debuginfo-0.1.6-1.mgax.x86_64.rpm
Thomas Spuhler 2014-03-27 19:59:22 CET

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 3 David Walser 2014-03-28 01:52:35 CET
Thanks Thomas!

Advisory:
========================

Updated libyaml packages fix security vulnerabilities:

Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the
application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application (CVE-2014-2525).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
http://www.debian.org/security/2014/dsa-2884
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.6-1.mga3
libyaml-devel-0.1.6-1.mga3
yaml-debuginfo-0.1.6-1.mga3
libyaml0_2-0.1.6-1.mga4
libyaml-devel-0.1.6-1.mga4
yaml-debuginfo-0.1.6-1.mga4

from SRPMS:
yaml-0.1.6-1.mga3.src.rpm
yaml-0.1.6-1.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 David Walser 2014-03-28 01:53:32 CET
You can find information on how to test this in Bug 12583.
David Walser 2014-03-31 22:30:01 CEST

Severity: normal => critical

Comment 5 Dave Hodgins 2014-03-31 22:37:52 CEST
Advisory 13101.adv committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 6 claire robinson 2014-04-01 16:39:52 CEST
Procedure at the end of comment 3 here 
https://bugs.mageia.org/show_bug.cgi?id=12583#c3

Whiteboard: MGA3TOO advisory => MGA3TOO advisory has_procedure

Comment 7 David Walser 2014-04-01 19:34:46 CEST
Testing complete on Mageia 3 i586 and Mageia 4 i586 using Comment 6.

Whiteboard: MGA3TOO advisory has_procedure => MGA3TOO advisory has_procedure MGA3-32-OK MGA4-32-OK

Comment 8 claire robinson 2014-04-02 13:14:53 CEST
Testing complete mga3 64 and mga4 64

Output from the example is different in mga3 than it is mga4.

In mga3 it is all on one line showing '\n' instead of creating newlines. There are spaces after the \n's which would create correct indentation if they were on new lines though. It is the same before and after the update so validating.

Advisory previously uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO advisory has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO advisory has_procedure MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Damien Lallement 2014-04-03 02:33:55 CEST
http://advisories.mageia.org/MGASA-2014-0150.html

Status: ASSIGNED => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.