--- /dev/null
+libyaml (0.1.4-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Drop libyaml-indent-column-overflow-v2.patch patch.
+ This patch causes additional regressions on simple YAML files.
+ * Add libyaml-guard-against-overflows-in-indent-and-flow_level.patch patch.
+ Add upstream's patch to guard against overflows in indent and
+ flow_level. (Closes: #738587)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 13 Feb 2014 07:51:58 +0100
+
+libyaml (0.1.4-3) unstable; urgency=high
+
+ * Fix CVE-2013-6393: heap-based buffer overflow when parsing YAML tags.
+ (Closes: #737076)
+
+ -- Anders Kaseorg <andersk@mit.edu> Wed, 29 Jan 2014 20:11:48 -0500
+
+libyaml (0.1.4-2) unstable; urgency=low
+
+ * Remove extra libyaml-0.so symlink from libyaml-dev.
+ * Bump Debhelper compat level to 9.
+ * Support multiarch. (Closes: #653748) (LP: #905630)
+ * Use 3.0 (quilt) source format.
+
+ -- Anders Kaseorg <andersk@mit.edu> Fri, 30 Dec 2011 17:14:52 -0500
+
+libyaml (0.1.4-1) unstable; urgency=low
+
+ * New upstream version 0.1.4.
+ + Fixed a bug that prevented an empty mapping being used as a simple
+ key.
+ + Fixed pointer overflow when calculating the position of a potential
+ simple key.
+ + Added pkg-config support. (Closes: #537834)
+ * Remove unneded libyaml.la file. (Closes: #622452)
+ * Add libyaml-0-2-dbg package with debugging symbols.
+ (Closes: #592747)
+ * Bumped standards version to 3.9.2 without further change
+
+ -- Anders Kaseorg <andersk@mit.edu> Mon, 30 May 2011 22:27:27 -0400
+
+libyaml (0.1.3-1) unstable; urgency=low
+
+ * New upstream version 0.1.3.
+ + This release fixes non-standard structure initialization and a
+ streaming-related issue.
+ * Bump priority from extra to optional.
+
+ -- Anders Kaseorg <andersk@mit.edu> Sun, 04 Oct 2009 14:07:18 -0400
+
+libyaml (0.1.2-1) unstable; urgency=low
+
+ * New upstream version 0.1.2.
+ + Fixed grammar in error messages (from YAML::XS::LibYAML).
+ + Rewritten whitespace detection in the scalar analyzer and block
+ scalar writers (ported from PyYAML).
+ + Fixed emitting folded scalars with trailing breaks; Forced emitting
+ of a document end indicator when there is a possibility of ambiguous
+ parsing.
+
+ -- Anders Kaseorg <andersk@mit.edu> Mon, 29 Dec 2008 21:10:48 -0500
+
+libyaml (0.1.1-1) unstable; urgency=low
+
+ * Initial release (Closes: #484381).
+
+ -- Anders Kaseorg <andersk@mit.edu> Tue, 10 Jun 2008 02:37:34 -0400
--- /dev/null
+Source: libyaml
+Section: libs
+Priority: optional
+Maintainer: Anders Kaseorg <andersk@mit.edu>
+Build-Depends: autotools-dev,
+ debhelper (>= 8.1.3~),
+ cdbs (>= 0.4.93~)
+Standards-Version: 3.9.2
+Homepage: http://pyyaml.org/wiki/LibYAML
+Vcs-Git: git://andersk.mit.edu/libyaml.git
+Vcs-Browser: http://andersk.mit.edu/gitweb/libyaml.git
+
+Package: libyaml-0-2
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Description: Fast YAML 1.1 parser and emitter library
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+
+Package: libyaml-0-2-dbg
+Section: debug
+Priority: extra
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libyaml-0-2 (= ${binary:Version})
+Description: Fast YAML 1.1 parser and emitter library (debugging symbols)
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+ .
+ This package contains detached debuging symbols for the library found
+ in libyaml-0-2.
+
+Package: libyaml-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libyaml-0-2 (= ${binary:Version})
+Description: Fast YAML 1.1 parser and emitter library (development)
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+ .
+ This package contains development headers and static libraries.
--- /dev/null
+Source: libyaml
+Section: libs
+Priority: optional
+Maintainer: Anders Kaseorg <andersk@mit.edu>
+Build-Depends: @cdbs@
+Standards-Version: 3.9.2
+Homepage: http://pyyaml.org/wiki/LibYAML
+Vcs-Git: git://andersk.mit.edu/libyaml.git
+Vcs-Browser: http://andersk.mit.edu/gitweb/libyaml.git
+
+Package: libyaml-0-2
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Description: Fast YAML 1.1 parser and emitter library
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+
+Package: libyaml-0-2-dbg
+Section: debug
+Priority: extra
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libyaml-0-2 (= ${binary:Version})
+Description: Fast YAML 1.1 parser and emitter library (debugging symbols)
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+ .
+ This package contains detached debuging symbols for the library found
+ in libyaml-0-2.
+
+Package: libyaml-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libyaml-0-2 (= ${binary:Version})
+Description: Fast YAML 1.1 parser and emitter library (development)
+ LibYAML is a C library for parsing and emitting data in YAML 1.1, a
+ human-readable data serialization format.
+ .
+ This package contains development headers and static libraries.
--- /dev/null
+This package was debianized by Anders Kaseorg <andersk@mit.edu> on
+Mon, 02 Jun 2008 05:16:28 -0400.
+
+It was downloaded from <http://pyyaml.org/wiki/LibYAML>
+
+Upstream Author:
+
+ Kirill Simonov <xi@resolvent.net>
+
+Copyright:
+
+ Copyright (c) 2006 Kirill Simonov
+
+License:
+
+ Permission is hereby granted, free of charge, to any person
+ obtaining a copy of this software and associated documentation
+ files (the "Software"), to deal in the Software without
+ restriction, including without limitation the rights to use, copy,
+ modify, merge, publish, distribute, sublicense, and/or sell copies
+ of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ DEALINGS IN THE SOFTWARE.
+
+The Debian packaging is released to the public domain.
--- /dev/null
+usr/lib/*/*.so.*
--- /dev/null
+usr/include/*
+usr/lib/*/*.a
+usr/lib/*/*.so
+usr/lib/*/pkgconfig/*
--- /dev/null
+Description: Guard against overflows in indent and flow_level
+Origin: upstream, https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2,
+ https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
+Last-Update: 2014-02-10
+Applied-Upstream: 0.1.5
+
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -615,11 +615,11 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark);
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
+
+ /*
+ * Token fetchers.
+@@ -1103,7 +1103,7 @@
+ */
+
+ int required = (!parser->flow_level
+- && parser->indent == (int)parser->mark.column);
++ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+ * A simple key is required only when it is the first token in the current
+@@ -1176,6 +1176,11 @@
+
+ /* Increase the flow level. */
+
++ if (parser->flow_level == INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->flow_level++;
+
+ return 1;
+@@ -1206,8 +1211,8 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+- int number, yaml_token_type_t type, yaml_mark_t mark)
++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+
+@@ -1226,6 +1231,11 @@
+ if (!PUSH(parser, parser->indents, parser->indent))
+ return 0;
+
++ if (column > INT_MAX) {
++ parser->error = YAML_MEMORY_ERROR;
++ return 0;
++ }
++
+ parser->indent = column;
+
+ /* Create a token and insert it into the queue. */
+@@ -1254,7 +1264,7 @@
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
+ {
+ yaml_token_t token;
+
+--- a/src/yaml_private.h
++++ b/src/yaml_private.h
+@@ -7,6 +7,7 @@
+
+ #include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+
+ /*
+ * Memory management.
--- /dev/null
+Description: CVE-2013-6393: yaml_parser-{un,}roll-indent: fix int overflow in column argument
+ This expands upon the original indent column overflow patch from
+ comment #12.
+ .
+ The default parser indention is represented as an indention of -1.
+ The original patch only modified the type of the column parameter to
+ the roll/unroll functions, changing it from int to size_t to guard
+ against integer overflow. However, there are code paths that call
+ yaml_parser_unroll_indent with a column of -1 in order to reset the
+ parser back to the initial indention. Since the column is now of
+ type size_t and thus unsigned, passing a column value of -1 caused
+ the column to underflow in this case.
+ .
+ This new patch modifies the roll/unroll functions to handle the -1
+ indent as a special case. In addition, it adds a new function,
+ yaml_parser_reset_indent. It is nearly an exact copy of
+ yaml_parser_unroll_indent, except it does not take a column
+ parameter. Instead it unrolls to a literal -1 indention, which does
+ not suffer from the underflow.
+ .
+ Code paths that previously called yaml_parser_unroll_indent with a
+ column of -1 are updated to call the new yaml_parser_reset_indent
+ function instead.
+ .
+ With this patch instead of the original:
+ .
+ - `make check` still passes
+ .
+ - The reproducer script completes successfully with exit code 0
+ .
+ - The issue raised by John Haxby has been corrected and exits with SUCCESS
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
+Last-Update: 2014-01-29
+---
+# HG changeset patch
+# User John Eckersberg <jeckersb@redhat.com>
+# Date 1390870108 18000
+# Mon Jan 27 19:48:28 2014 -0500
+# Node ID 7179aa474f31e73834adda26b77bfc25bfe5143d
+# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
+yaml_parser-{un,}roll-indent: fix int overflow in column argument
+
+diff -r 3e6507fa0c26 -r 7179aa474f31 src/scanner.c
+--- a/src/scanner.c Mon Dec 24 03:51:32 2012 +0000
++++ b/src/scanner.c Mon Jan 27 19:48:28 2014 -0500
+@@ -615,11 +615,14 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
++yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
+ int number, yaml_token_type_t type, yaml_mark_t mark);
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
++yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
++
++static int
++yaml_parser_reset_indent(yaml_parser_t *parser);
+
+ /*
+ * Token fetchers.
+@@ -1206,7 +1209,7 @@
+ */
+
+ static int
+-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
++yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
+ int number, yaml_token_type_t type, yaml_mark_t mark)
+ {
+ yaml_token_t token;
+@@ -1216,7 +1219,7 @@
+ if (parser->flow_level)
+ return 1;
+
+- if (parser->indent < column)
++ if (parser->indent == -1 || parser->indent < column)
+ {
+ /*
+ * Push the current indentation level to the stack and set the new
+@@ -1254,7 +1257,7 @@
+
+
+ static int
+-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
++yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
+ {
+ yaml_token_t token;
+
+@@ -1263,6 +1266,15 @@
+ if (parser->flow_level)
+ return 1;
+
++ /*
++ * column is unsigned and parser->indent is signed, so if
++ * parser->indent is less than zero the conditional in the while
++ * loop below is incorrect. Guard against that.
++ */
++
++ if (parser->indent < 0)
++ return 1;
++
+ /* Loop through the intendation levels in the stack. */
+
+ while (parser->indent > column)
+@@ -1283,6 +1295,41 @@
+ }
+
+ /*
++ * Pop indentation levels from the indents stack until the current
++ * level resets to -1. For each intendation level, append the
++ * BLOCK-END token.
++ */
++
++static int
++yaml_parser_reset_indent(yaml_parser_t *parser)
++{
++ yaml_token_t token;
++
++ /* In the flow context, do nothing. */
++
++ if (parser->flow_level)
++ return 1;
++
++ /* Loop through the intendation levels in the stack. */
++
++ while (parser->indent > -1)
++ {
++ /* Create a token and append it to the queue. */
++
++ TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
++
++ if (!ENQUEUE(parser, parser->tokens, token))
++ return 0;
++
++ /* Pop the indentation level. */
++
++ parser->indent = POP(parser, parser->indents);
++ }
++
++ return 1;
++}
++
++/*
+ * Initialize the scanner and produce the STREAM-START token.
+ */
+
+@@ -1338,7 +1385,7 @@
+
+ /* Reset the indentation level. */
+
+- if (!yaml_parser_unroll_indent(parser, -1))
++ if (!yaml_parser_reset_indent(parser))
+ return 0;
+
+ /* Reset simple keys. */
+@@ -1369,7 +1416,7 @@
+
+ /* Reset the indentation level. */
+
+- if (!yaml_parser_unroll_indent(parser, -1))
++ if (!yaml_parser_reset_indent(parser))
+ return 0;
+
+ /* Reset simple keys. */
+@@ -1407,7 +1454,7 @@
+
+ /* Reset the indentation level. */
+
+- if (!yaml_parser_unroll_indent(parser, -1))
++ if (!yaml_parser_reset_indent(parser))
+ return 0;
+
+ /* Reset simple keys. */
--- /dev/null
+Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
+ This is a hardening patch also from Florian Weimer
+ <fweimer@redhat.com>. It is not required to fix this CVE however it
+ improves the robustness of the code against future issues by avoiding
+ large node ID's in a central place.
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
+Last-Update: 2014-01-29
+---
+# HG changeset patch
+# User Florian Weimer <fweimer@redhat.com>
+# Date 1389274355 -3600
+# Thu Jan 09 14:32:35 2014 +0100
+# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
+# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
+yaml_stack_extend: guard against integer overflow
+
+diff --git a/src/api.c b/src/api.c
+--- a/src/api.c
++++ b/src/api.c
+@@ -117,7 +117,12 @@
+ YAML_DECLARE(int)
+ yaml_stack_extend(void **start, void **top, void **end)
+ {
+- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
++ void *new_start;
++
++ if ((char *)*end - (char *)*start >= INT_MAX / 2)
++ return 0;
++
++ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+
+ if (!new_start) return 0;
+
--- /dev/null
+Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
+ This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
+ the string overflow issue. It has been ack'd by upstream.
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
+Last-Update: 2014-01-29
+---
+# HG changeset patch
+# User Florian Weimer <fweimer@redhat.com>
+# Date 1389273500 -3600
+# Thu Jan 09 14:18:20 2014 +0100
+# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
+# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
+yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
+
+diff --git a/src/scanner.c b/src/scanner.c
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -2574,7 +2574,7 @@
+
+ /* Resize the string to include the head. */
+
+- while (string.end - string.start <= (int)length) {
++ while ((size_t)(string.end - string.start) <= length) {
+ if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
+ parser->error = YAML_MEMORY_ERROR;
+ goto error;
--- /dev/null
+libyaml-string-overflow.patch
+libyaml-node-id-hardening.patch
+libyaml-guard-against-overflows-in-indent-and-flow_level.patch
--- /dev/null
+#!/usr/bin/make -f
+
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/class/autotools.mk
+
+CDBS_BUILD_DEPENDS += , cdbs (>= 0.4.93~) # for $(DEB_HOST_MULTIARCH)
+
+# Debhelper 9 isn’t released yet
+CDBS_BUILD_DEPENDS_rules_debhelper_v9 = debhelper (>= 8.1.3~)
+
+# dh_buildinfo fails at multiarch: http://bugs.debian.org/620104
+CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo =
+
+DEB_CONFIGURE_EXTRA_FLAGS += --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)
+DEB_DH_INSTALL_SOURCEDIR = $(DEB_DESTDIR)
+DEB_DBG_PACKAGE_libyaml-0-2 = libyaml-0-2-dbg
--- /dev/null
+package-needs-versioned-debhelper-build-depends 9
--- /dev/null
+3.0 (quilt)
--- /dev/null
+version=3
+http://pyyaml.org/download/libyaml/yaml-(.*)\.tar\.gz
andersk / libyaml.git / commitdiff
