From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Mar 2014 05:22:25 +0000 (+0100)
Subject: Imported Debian patch 0.1.4-3.2
X-Git-Tag: debian/0.1.4-3.2^0
X-Git-Url: http://andersk.mit.edu/gitweb/libyaml.git/commitdiff_plain/0e9a9917daeb551cc752263943649dc7efad30e8

Imported Debian patch 0.1.4-3.2
---

diff --git a/debian/changelog b/debian/changelog
index 89e244d..3555978 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libyaml (0.1.4-3.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2014-2525.patch patch.
+    CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes.
+    The heap overflow is caused by not properly expanding a string before
+    writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
+    (Closes: #742732)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 27 Mar 2014 06:22:25 +0100
+
 libyaml (0.1.4-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/patches/CVE-2014-2525.patch b/debian/patches/CVE-2014-2525.patch
new file mode 100644
index 0000000..6708742
--- /dev/null
+++ b/debian/patches/CVE-2014-2525.patch
@@ -0,0 +1,37 @@
+Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
+  The heap overflow is caused by not properly expanding a string before
+  writing to it in function yaml_parser_scan_uri_escapes in scanner.c. 
+Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-03-20
+Applied-Upstream: 0.1.6
+
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -2629,6 +2629,9 @@
+         /* Check if it is a URI-escape sequence. */
+ 
+         if (CHECK(parser->buffer, '%')) {
++            if (!STRING_EXTEND(parser, string))
++                goto error;
++
+             if (!yaml_parser_scan_uri_escapes(parser,
+                         directive, start_mark, &string)) goto error;
+         }
+--- a/src/yaml_private.h
++++ b/src/yaml_private.h
+@@ -133,9 +133,12 @@
+      (string).start = (string).pointer = (string).end = 0)
+ 
+ #define STRING_EXTEND(context,string)                                           \
+-    (((string).pointer+5 < (string).end)                                        \
++    ((((string).pointer+5 < (string).end)                                       \
+         || yaml_string_extend(&(string).start,                                  \
+-            &(string).pointer, &(string).end))
++            &(string).pointer, &(string).end)) ?                                \
++         1 :                                                                    \
++        ((context)->error = YAML_MEMORY_ERROR,                                  \
++         0))
+ 
+ #define CLEAR(context,string)                                                   \
+     ((string).pointer = (string).start,                                         \
diff --git a/debian/patches/series b/debian/patches/series
index 7729c4e..9db7dd5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 libyaml-string-overflow.patch
 libyaml-node-id-hardening.patch
 libyaml-guard-against-overflows-in-indent-and-flow_level.patch
+CVE-2014-2525.patch