[oe-commits] Kang Kai : libyaml: add fix for CVE-2014-2525 Security Advisory
git at git.openembedded.org
git at git.openembedded.org
Wed Dec 3 14:15:42 UTC 2014
Module: meta-openembedded.git
Branch: dizzy
Commit: f58ee5acdd436f822c42bed063a319f926854f7d
URL: http://git.openembedded.org/?p=meta-openembedded.git&a=commit;h=f58ee5acdd436f822c42bed063a319f926854f7d
Author: Kang Kai <kai.kang at windriver.com>
Date: Wed Oct 29 08:30:59 2014 +0800
libyaml: add fix for CVE-2014-2525 Security Advisory
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
in LibYAML before 0.1.6 allows context-dependent attackers to execute
arbitrary code via a long sequence of percent-encoded characters in a
URI in a YAML file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2525
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Kai Kang <kai.kang at windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../libyaml/files/libyaml-CVE-2014-2525.patch | 42 ++++++++++++++++++++++
meta-oe/recipes-support/libyaml/libyaml_0.1.5.bb | 4 ++-
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch
new file mode 100644
index 0000000..2fdcba3
--- /dev/null
+++ b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch
@@ -0,0 +1,42 @@
+Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
+in LibYAML before 0.1.6 allows context-dependent attackers to execute
+arbitrary code via a long sequence of percent-encoded characters in a
+URI in a YAML file.
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
+---
+diff --git a/src/scanner.c.old b/src/scanner.c
+index a2e8619..c6cde3b 100644
+--- a/src/scanner.c.old
++++ b/src/scanner.c
+@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
+ /* Check if it is a URI-escape sequence. */
+
+ if (CHECK(parser->buffer, '%')) {
++ if (!STRING_EXTEND(parser, string))
++ goto error;
++
+ if (!yaml_parser_scan_uri_escapes(parser,
+ directive, start_mark, &string)) goto error;
+ }
+diff --git a/src/yaml_private.h.old b/src/yaml_private.h
+index ed5ea66..d72acb4 100644
+--- a/src/yaml_private.h.old
++++ b/src/yaml_private.h
+@@ -132,9 +132,12 @@ yaml_string_join(
+ (string).start = (string).pointer = (string).end = 0)
+
+ #define STRING_EXTEND(context,string) \
+- (((string).pointer+5 < (string).end) \
++ ((((string).pointer+5 < (string).end) \
+ || yaml_string_extend(&(string).start, \
+- &(string).pointer, &(string).end))
++ &(string).pointer, &(string).end)) ? \
++ 1 : \
++ ((context)->error = YAML_MEMORY_ERROR, \
++ 0))
+
+ #define CLEAR(context,string) \
+ ((string).pointer = (string).start, \
diff --git a/meta-oe/recipes-support/libyaml/libyaml_0.1.5.bb b/meta-oe/recipes-support/libyaml/libyaml_0.1.5.bb
index c44eda4..1279541 100644
--- a/meta-oe/recipes-support/libyaml/libyaml_0.1.5.bb
+++ b/meta-oe/recipes-support/libyaml/libyaml_0.1.5.bb
@@ -7,7 +7,9 @@ SECTION = "libs/devel"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=6015f088759b10e0bc2bf64898d4ae17"
-SRC_URI = "http://pyyaml.org/download/libyaml/yaml-${PV}.tar.gz"
+SRC_URI = "http://pyyaml.org/download/libyaml/yaml-${PV}.tar.gz \
+ file://libyaml-CVE-2014-2525.patch \
+ "
SRC_URI[md5sum] = "24f6093c1e840ca5df2eb09291a1dbf1"
SRC_URI[sha256sum] = "fa87ee8fb7b936ec04457bc044cd561155e1000a4d25029867752e543c2d3bef"
More information about the Openembedded-commits
mailing list