Hi Niko On Fri, Mar 09, 2012 at 08:09:54AM +0200, Niko Tyni wrote: > severity 661548 grave > tag 661548 security > found 661548 0.33-1 > thanks > > On Mon, Feb 27, 2012 at 09:44:42PM +0000, Dominic Hargreaves wrote: > > Source: libyaml-libyaml-perl > > Severity: normal > > Version: 0.38-1 > > User: debian...@lists.debian.org > > Usertags: hardening-format-security hardening > > > > With hardening flags enabled, this package FTBFS: > > > > perl_libyaml.c: In function 'Load': > > perl_libyaml.c:191:5: error: format not a string literal and no format > > arguments [-Werror=format-security] > > perl_libyaml.c: In function 'load_node': > > perl_libyaml.c:274:9: error: format not a string literal and no format > > arguments [-Werror=format-security] > > perl_libyaml.c: In function 'load_mapping': > > perl_libyaml.c:318:9: error: format not a string literal and no format > > arguments [-Werror=format-security] > > perl_libyaml.c: In function 'load_sequence': > > perl_libyaml.c:351:9: error: format not a string literal and no format > > arguments [-Werror=format-security] > > These format strings can be injected from user input, > so raising the severity. A DSA will be issued for squeeze. > > I've just notified upstream via the RT tickets below. Could somebody from > the pkg-perl team please prepare updated packages (built with -sa for > stable-security as this is new there)? Trivial patches can be found in
Are you going to prepare the upload for it? In other case I have prepared the branch in our git repository with the fix taken from Upstream RT#46507 patch there. A review would anyway be welcome. Regards Salvatore
diff -Nru libyaml-libyaml-perl-0.33/debian/changelog libyaml-libyaml-perl-0.33/debian/changelog --- libyaml-libyaml-perl-0.33/debian/changelog 2010-05-02 16:46:50.000000000 +0200 +++ libyaml-libyaml-perl-0.33/debian/changelog 2012-03-10 08:45:38.000000000 +0100 @@ -1,3 +1,15 @@ +libyaml-libyaml-perl (0.33-2) stable-security; urgency=high + + * Team upload. + * Add fix-CVE-2012-1152.patch patch. + Security fix for CVE-2012-1152. A remote attacker could provide a + specially-crafted YAML document, which once processed by the + YAML-LibYAML interface would lead to libyaml-libyaml-perl based process + crash. + Thanks to Niko Tyni <nt...@debian.org> (Closes: #661548) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 10 Mar 2012 08:41:38 +0100 + libyaml-libyaml-perl (0.33-1) unstable; urgency=low [ Jonathan Yu ] diff -Nru libyaml-libyaml-perl-0.33/debian/gbp.conf libyaml-libyaml-perl-0.33/debian/gbp.conf --- libyaml-libyaml-perl-0.33/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ libyaml-libyaml-perl-0.33/debian/gbp.conf 2012-03-10 08:45:38.000000000 +0100 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = squeeze diff -Nru libyaml-libyaml-perl-0.33/debian/patches/fix-CVE-2012-1152.patch libyaml-libyaml-perl-0.33/debian/patches/fix-CVE-2012-1152.patch --- libyaml-libyaml-perl-0.33/debian/patches/fix-CVE-2012-1152.patch 1970-01-01 01:00:00.000000000 +0100 +++ libyaml-libyaml-perl-0.33/debian/patches/fix-CVE-2012-1152.patch 2012-03-10 08:45:38.000000000 +0100 @@ -0,0 +1,56 @@ +Description: A remote attacker could provide a specially-crafted YAML + document, which once processed by the perl-YAML-LibYAML interface would + lead to perl-YAML-LibYAML based process crash. + . + Fix for CVE-2012-1152. +Origin: http://rt.cpan.org/Ticket/Attachment/920541/477607/YAML-LibYAML-0.35-format-error.patch +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=46507 +Bug-Debian: http://bugs.debian.org/661548 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2012-03-10 + +--- a/LibYAML/perl_libyaml.c ++++ b/LibYAML/perl_libyaml.c +@@ -181,7 +181,7 @@ + return; + + load_error: +- croak(loader_error_msg(&loader, NULL)); ++ croak("%s", loader_error_msg(&loader, NULL)); + } + + /* +@@ -230,12 +230,12 @@ + + /* Some kind of error occurred */ + if (loader->event.type == YAML_NO_EVENT) +- croak(loader_error_msg(loader, NULL)); ++ croak("%s", loader_error_msg(loader, NULL)); + + croak(ERRMSG "Invalid event '%d' at top level", (int) loader->event.type); + + load_error: +- croak(loader_error_msg(loader, NULL)); ++ croak("%s", loader_error_msg(loader, NULL)); + } + + /* +@@ -278,7 +278,7 @@ + else if (strlen(tag) <= strlen(prefix) || + ! strnEQ(tag, prefix, strlen(prefix)) + ) croak( +- loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ++ "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) + ); + class = tag + strlen(prefix); + sv_bless(hash_ref, gv_stashpv(class, TRUE)); +@@ -311,7 +311,7 @@ + else if (strlen(tag) <= strlen(prefix) || + ! strnEQ(tag, prefix, strlen(prefix)) + ) croak( +- loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ++ "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) + ); + class = tag + strlen(prefix); + sv_bless(array_ref, gv_stashpv(class, TRUE)); diff -Nru libyaml-libyaml-perl-0.33/debian/patches/series libyaml-libyaml-perl-0.33/debian/patches/series --- libyaml-libyaml-perl-0.33/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libyaml-libyaml-perl-0.33/debian/patches/series 2012-03-10 08:45:38.000000000 +0100 @@ -0,0 +1 @@ +fix-CVE-2012-1152.patch
signature.asc
Description: Digital signature
