Bug 13101 - libyaml new security issue CVE-2014-2525
: libyaml new security issue CVE-2014-2525
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/592273/
: MGA3TOO advisory has_procedure MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-27 13:52 CET by David Walser
Modified: 2014-04-03 02:33 CEST (History)
4 users (show)

See Also:
Source RPM: yaml-0.1.5-1.mga5.src.rpm
CVE:


Attachments

Description David Walser 2014-03-27 13:52:03 CET
Upstream has issued an advisory on March 26:
http://openwall.com/lists/oss-security/2014/03/26/12

The issue is fixed upstream in 0.1.6 and the commit is also linked there.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-27 18:21:34 CET
Debian has issued an advisory for this on March 26:
http://www.debian.org/security/2014/dsa-2884
Comment 2 Thomas Spuhler 2014-03-27 19:57:42 CET
fixed in cauldron, mga3 and mga4
uploaded into upgrades_testing, both mga3 and mga4, 32 and 64bit:
yaml-0.1.6-1.mga5.src.rpm
lib64yaml0_2-0.1.6-1.mgax.x86_64.rpm
lib64yaml-devel-0.1.6-1.mgax.x86_64.rpm
yaml-debuginfo-0.1.6-1.mgax.x86_64.rpm
Comment 3 David Walser 2014-03-28 01:52:35 CET
Thanks Thomas!

Advisory:
========================

Updated libyaml packages fix security vulnerabilities:

Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the
application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application (CVE-2014-2525).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
http://www.debian.org/security/2014/dsa-2884
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.6-1.mga3
libyaml-devel-0.1.6-1.mga3
yaml-debuginfo-0.1.6-1.mga3
libyaml0_2-0.1.6-1.mga4
libyaml-devel-0.1.6-1.mga4
yaml-debuginfo-0.1.6-1.mga4

from SRPMS:
yaml-0.1.6-1.mga3.src.rpm
yaml-0.1.6-1.mga4.src.rpm
Comment 4 David Walser 2014-03-28 01:53:32 CET
You can find information on how to test this in Bug 12583.
Comment 5 Dave Hodgins 2014-03-31 22:37:52 CEST
Advisory 13101.adv committed to svn.
Comment 6 claire robinson 2014-04-01 16:39:52 CEST
Procedure at the end of comment 3 here 
https://bugs.mageia.org/show_bug.cgi?id=12583#c3
Comment 7 David Walser 2014-04-01 19:34:46 CEST
Testing complete on Mageia 3 i586 and Mageia 4 i586 using Comment 6.
Comment 8 claire robinson 2014-04-02 13:14:53 CEST
Testing complete mga3 64 and mga4 64

Output from the example is different in mga3 than it is mga4.

In mga3 it is all on one line showing '\n' instead of creating newlines. There are spaces after the \n's which would create correct indentation if they were on new lines though. It is the same before and after the update so validating.

Advisory previously uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 9 Damien Lallement 2014-04-03 02:33:55 CEST
http://advisories.mageia.org/MGASA-2014-0150.html

Note You need to log in before you can comment on or make changes to this bug.