From: Anders Kaseorg Date: Mon, 24 Feb 2014 02:53:20 +0000 (-0500) Subject: New upstream version 0.1.5 X-Git-Tag: debian/0.1.6-1~13 X-Git-Url: http://andersk.mit.edu/gitweb/libyaml.git/commitdiff_plain/678a07c9ec6a40ef81405e8db7153d354bac14c0 New upstream version 0.1.5 Signed-off-by: Anders Kaseorg --- diff --git a/debian/changelog b/debian/changelog index 89e244d..7f126d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libyaml (0.1.5-1) UNRELEASED; urgency=medium + + * New upstream version 0.1.5. + + Fix CVE-2013-6393: heap-based buffer overflow when parsing YAML + tags. + * Drop upstreamed patches. + + -- Anders Kaseorg Sun, 23 Feb 2014 21:48:49 -0500 + libyaml (0.1.4-3.1) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch b/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch deleted file mode 100644 index 80849ab..0000000 --- a/debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch +++ /dev/null @@ -1,86 +0,0 @@ -Description: Guard against overflows in indent and flow_level -Origin: upstream, https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2, - https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b -Last-Update: 2014-02-10 -Applied-Upstream: 0.1.5 - ---- a/src/scanner.c -+++ b/src/scanner.c -@@ -615,11 +615,11 @@ - */ - - static int --yaml_parser_roll_indent(yaml_parser_t *parser, int column, -- int number, yaml_token_type_t type, yaml_mark_t mark); -+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, -+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark); - - static int --yaml_parser_unroll_indent(yaml_parser_t *parser, int column); -+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column); - - /* - * Token fetchers. -@@ -1103,7 +1103,7 @@ - */ - - int required = (!parser->flow_level -- && parser->indent == (int)parser->mark.column); -+ && parser->indent == (ptrdiff_t)parser->mark.column); - - /* - * A simple key is required only when it is the first token in the current -@@ -1176,6 +1176,11 @@ - - /* Increase the flow level. */ - -+ if (parser->flow_level == INT_MAX) { -+ parser->error = YAML_MEMORY_ERROR; -+ return 0; -+ } -+ - parser->flow_level++; - - return 1; -@@ -1206,8 +1211,8 @@ - */ - - static int --yaml_parser_roll_indent(yaml_parser_t *parser, int column, -- int number, yaml_token_type_t type, yaml_mark_t mark) -+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, -+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark) - { - yaml_token_t token; - -@@ -1226,6 +1231,11 @@ - if (!PUSH(parser, parser->indents, parser->indent)) - return 0; - -+ if (column > INT_MAX) { -+ parser->error = YAML_MEMORY_ERROR; -+ return 0; -+ } -+ - parser->indent = column; - - /* Create a token and insert it into the queue. */ -@@ -1254,7 +1264,7 @@ - - - static int --yaml_parser_unroll_indent(yaml_parser_t *parser, int column) -+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column) - { - yaml_token_t token; - ---- a/src/yaml_private.h -+++ b/src/yaml_private.h -@@ -7,6 +7,7 @@ - - #include - #include -+#include - - /* - * Memory management. diff --git a/debian/patches/libyaml-indent-column-overflow-v2.patch b/debian/patches/libyaml-indent-column-overflow-v2.patch deleted file mode 100644 index 4bee5c2..0000000 --- a/debian/patches/libyaml-indent-column-overflow-v2.patch +++ /dev/null @@ -1,176 +0,0 @@ -Description: CVE-2013-6393: yaml_parser-{un,}roll-indent: fix int overflow in column argument - This expands upon the original indent column overflow patch from - comment #12. - . - The default parser indention is represented as an indention of -1. - The original patch only modified the type of the column parameter to - the roll/unroll functions, changing it from int to size_t to guard - against integer overflow. However, there are code paths that call - yaml_parser_unroll_indent with a column of -1 in order to reset the - parser back to the initial indention. Since the column is now of - type size_t and thus unsigned, passing a column value of -1 caused - the column to underflow in this case. - . - This new patch modifies the roll/unroll functions to handle the -1 - indent as a special case. In addition, it adds a new function, - yaml_parser_reset_indent. It is nearly an exact copy of - yaml_parser_unroll_indent, except it does not take a column - parameter. Instead it unrolls to a literal -1 indention, which does - not suffer from the underflow. - . - Code paths that previously called yaml_parser_unroll_indent with a - column of -1 are updated to call the new yaml_parser_reset_indent - function instead. - . - With this patch instead of the original: - . - - `make check` still passes - . - - The reproducer script completes successfully with exit code 0 - . - - The issue raised by John Haxby has been corrected and exits with SUCCESS -Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 -Last-Update: 2014-01-29 ---- -# HG changeset patch -# User John Eckersberg -# Date 1390870108 18000 -# Mon Jan 27 19:48:28 2014 -0500 -# Node ID 7179aa474f31e73834adda26b77bfc25bfe5143d -# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 -yaml_parser-{un,}roll-indent: fix int overflow in column argument - -diff -r 3e6507fa0c26 -r 7179aa474f31 src/scanner.c ---- a/src/scanner.c Mon Dec 24 03:51:32 2012 +0000 -+++ b/src/scanner.c Mon Jan 27 19:48:28 2014 -0500 -@@ -615,11 +615,14 @@ - */ - - static int --yaml_parser_roll_indent(yaml_parser_t *parser, int column, -+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column, - int number, yaml_token_type_t type, yaml_mark_t mark); - - static int --yaml_parser_unroll_indent(yaml_parser_t *parser, int column); -+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column); -+ -+static int -+yaml_parser_reset_indent(yaml_parser_t *parser); - - /* - * Token fetchers. -@@ -1206,7 +1209,7 @@ - */ - - static int --yaml_parser_roll_indent(yaml_parser_t *parser, int column, -+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column, - int number, yaml_token_type_t type, yaml_mark_t mark) - { - yaml_token_t token; -@@ -1216,7 +1219,7 @@ - if (parser->flow_level) - return 1; - -- if (parser->indent < column) -+ if (parser->indent == -1 || parser->indent < column) - { - /* - * Push the current indentation level to the stack and set the new -@@ -1254,7 +1257,7 @@ - - - static int --yaml_parser_unroll_indent(yaml_parser_t *parser, int column) -+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column) - { - yaml_token_t token; - -@@ -1263,6 +1266,15 @@ - if (parser->flow_level) - return 1; - -+ /* -+ * column is unsigned and parser->indent is signed, so if -+ * parser->indent is less than zero the conditional in the while -+ * loop below is incorrect. Guard against that. -+ */ -+ -+ if (parser->indent < 0) -+ return 1; -+ - /* Loop through the intendation levels in the stack. */ - - while (parser->indent > column) -@@ -1283,6 +1295,41 @@ - } - - /* -+ * Pop indentation levels from the indents stack until the current -+ * level resets to -1. For each intendation level, append the -+ * BLOCK-END token. -+ */ -+ -+static int -+yaml_parser_reset_indent(yaml_parser_t *parser) -+{ -+ yaml_token_t token; -+ -+ /* In the flow context, do nothing. */ -+ -+ if (parser->flow_level) -+ return 1; -+ -+ /* Loop through the intendation levels in the stack. */ -+ -+ while (parser->indent > -1) -+ { -+ /* Create a token and append it to the queue. */ -+ -+ TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark); -+ -+ if (!ENQUEUE(parser, parser->tokens, token)) -+ return 0; -+ -+ /* Pop the indentation level. */ -+ -+ parser->indent = POP(parser, parser->indents); -+ } -+ -+ return 1; -+} -+ -+/* - * Initialize the scanner and produce the STREAM-START token. - */ - -@@ -1338,7 +1385,7 @@ - - /* Reset the indentation level. */ - -- if (!yaml_parser_unroll_indent(parser, -1)) -+ if (!yaml_parser_reset_indent(parser)) - return 0; - - /* Reset simple keys. */ -@@ -1369,7 +1416,7 @@ - - /* Reset the indentation level. */ - -- if (!yaml_parser_unroll_indent(parser, -1)) -+ if (!yaml_parser_reset_indent(parser)) - return 0; - - /* Reset simple keys. */ -@@ -1407,7 +1454,7 @@ - - /* Reset the indentation level. */ - -- if (!yaml_parser_unroll_indent(parser, -1)) -+ if (!yaml_parser_reset_indent(parser)) - return 0; - - /* Reset simple keys. */ diff --git a/debian/patches/libyaml-node-id-hardening.patch b/debian/patches/libyaml-node-id-hardening.patch deleted file mode 100644 index 53b8aa8..0000000 --- a/debian/patches/libyaml-node-id-hardening.patch +++ /dev/null @@ -1,35 +0,0 @@ -Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow - This is a hardening patch also from Florian Weimer - . It is not required to fix this CVE however it - improves the robustness of the code against future issues by avoiding - large node ID's in a central place. -Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 -Last-Update: 2014-01-29 ---- -# HG changeset patch -# User Florian Weimer -# Date 1389274355 -3600 -# Thu Jan 09 14:32:35 2014 +0100 -# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 -# Parent a54d7af707f25dc298a7be60fd152001d2b3035b -yaml_stack_extend: guard against integer overflow - -diff --git a/src/api.c b/src/api.c ---- a/src/api.c -+++ b/src/api.c -@@ -117,7 +117,12 @@ - YAML_DECLARE(int) - yaml_stack_extend(void **start, void **top, void **end) - { -- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); -+ void *new_start; -+ -+ if ((char *)*end - (char *)*start >= INT_MAX / 2) -+ return 0; -+ -+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); - - if (!new_start) return 0; - diff --git a/debian/patches/libyaml-string-overflow.patch b/debian/patches/libyaml-string-overflow.patch deleted file mode 100644 index e740e65..0000000 --- a/debian/patches/libyaml-string-overflow.patch +++ /dev/null @@ -1,28 +0,0 @@ -Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow - This is a proposed patch from Florian Weimer for - the string overflow issue. It has been ack'd by upstream. -Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 -Last-Update: 2014-01-29 ---- -# HG changeset patch -# User Florian Weimer -# Date 1389273500 -3600 -# Thu Jan 09 14:18:20 2014 +0100 -# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b -# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 -yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow - -diff --git a/src/scanner.c b/src/scanner.c ---- a/src/scanner.c -+++ b/src/scanner.c -@@ -2574,7 +2574,7 @@ - - /* Resize the string to include the head. */ - -- while (string.end - string.start <= (int)length) { -+ while ((size_t)(string.end - string.start) <= length) { - if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { - parser->error = YAML_MEMORY_ERROR; - goto error; diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index 7729c4e..0000000 --- a/debian/patches/series +++ /dev/null @@ -1,3 +0,0 @@ -libyaml-string-overflow.patch -libyaml-node-id-hardening.patch -libyaml-guard-against-overflows-in-indent-and-flow_level.patch