+libyaml (0.1.4-3.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add CVE-2014-2525.patch patch.
+ CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes.
+ The heap overflow is caused by not properly expanding a string before
+ writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+ (Closes: #742732)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 27 Mar 2014 06:22:25 +0100
+
libyaml (0.1.4-3.1) unstable; urgency=medium
* Non-maintainer upload.
--- /dev/null
+Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
+ The heap overflow is caused by not properly expanding a string before
+ writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-03-20
+Applied-Upstream: 0.1.6
+
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -2629,6 +2629,9 @@
+ /* Check if it is a URI-escape sequence. */
+
+ if (CHECK(parser->buffer, '%')) {
++ if (!STRING_EXTEND(parser, string))
++ goto error;
++
+ if (!yaml_parser_scan_uri_escapes(parser,
+ directive, start_mark, &string)) goto error;
+ }
+--- a/src/yaml_private.h
++++ b/src/yaml_private.h
+@@ -133,9 +133,12 @@
+ (string).start = (string).pointer = (string).end = 0)
+
+ #define STRING_EXTEND(context,string) \
+- (((string).pointer+5 < (string).end) \
++ ((((string).pointer+5 < (string).end) \
+ || yaml_string_extend(&(string).start, \
+- &(string).pointer, &(string).end))
++ &(string).pointer, &(string).end)) ? \
++ 1 : \
++ ((context)->error = YAML_MEMORY_ERROR, \
++ 0))
+
+ #define CLEAR(context,string) \
+ ((string).pointer = (string).start, \
andersk / libyaml.git / commitdiff
