On Fri, 28 Nov 2014, Salvatore Bonaccorso wrote: > An assert is triggered by wrapped strings, see [1,2,3]. Proposed commit > in [4] comments out the assertion and let the parser fail. CVE-2014-9130 > was assigned for this reachable assertion in scanner.c. > > [1] > https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure > [2] http://www.openwall.com/lists/oss-security/2014/11/28/1 > [3] https://security-tracker.debian.org/CVE-2014-9130 > [4] > https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a
Note that GitHib is not upstream for libyaml; this GitHub repo is just a mirror[1] of the upstream Mercurial repo. The upstream fix simply deletes the offending assert() rather than commenting it: https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2 I’ll upload this to unstable shortly. Anders [1] And a poorly-maintained one at that; the parent commit is just labelled “Sync to head of https://bitbucket.org/xi/libyaml”, discarding all the history between those points. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
