debian/0000775000000000000000000000000012455001663007172 5ustar debian/rules0000775000000000000000000000003612314622233010245 0ustar #!/usr/bin/make -f %: dh $@ debian/copyright0000664000000000000000000000665012314622233011130 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: YAML-LibYAML Upstream-Contact: Ingy döt Net Source: https://metacpan.org/release/YAML-LibYAML Files: * Copyright: 2007-2013, Ingy döt Net License: Artistic or GPL-1+ Files: inc/Module/* Copyright: 2002-2012, Adam Kennedy 2002-2012, Audrey Tang 2002-2012, Brian Ingerson License: Artistic or GPL-1+ Files: inc/Spiffy.pm Copyright: 2006, Ingy döt Net 2004, Brian Ingerson License: Artistic or GPL-1+ Files: inc/Test/Base.pm inc/Test/Base/* Copyright: 2005-2009, Brian Ingerson License: Artistic or GPL-1+ Files: inc/Test/More.pm Copyright: 2001-2008, Michael G Schwern License: Artistic or GPL-1+ Files: inc/Test/Builder.pm inc/Test/Builder/* Copyright: 2002-2008, chromatic 2002-2008, Michael G Schwern License: Artistic or GPL-1+ Files: LibYAML/ppport.h Copyright: 2004-2009, Marcus Holland-Moritz 2001, Paul Marquess (Version 2.x) 1999, Kenneth Albanowski (Version 1.x) License: Artistic or GPL-1+ Files: LibYAML/api.c LibYAML/config.h LibYAML/dumper.c LibYAML/emitter.c LibYAML/loader.c LibYAML/parser.c LibYAML/reader.c LibYAML/scanner.c LibYAML/writer.c LibYAML/yaml.h LibYAML/yaml_private.h Copyright: 2006, Kirill Simonov License: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Files: debian/* Copyright: 2009, Ryan Niebur 2010, Jonathan Yu 2010, Krzysztof Krzyżaniak (eloy) 2011-2013, gregor herrmann 2012, Julián Moreno Patiño License: Artistic or GPL-1+ License: Artistic This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License, which comes with Perl. . On Debian systems, the complete text of the Artistic License can be found in `/usr/share/common-licenses/Artistic'. License: GPL-1+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. . On Debian systems, the complete text of version 1 of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-1'. debian/changelog0000664000000000000000000001344612455001662011053 0ustar libyaml-libyaml-perl (0.41-5ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via triggered assertion - debian/patches/CVE-2014-9130.patch: remove assertion - CVE-2014-9130 -- Steve Beattie Thu, 08 Jan 2015 17:58:26 -0800 libyaml-libyaml-perl (0.41-5) unstable; urgency=high * Team upload. [ gregor herrmann ] * Strip trailing slash from metacpan URLs. [ Salvatore Bonaccorso ] * Add CVE-2014-2525.patch patch. CVE-2014-2525: Heap overflow when parsing YAML tags. The heap overflow is caused by not properly expanding a string before writing to it in function yaml_parser_scan_uri_escapes in scanner.c. -- Salvatore Bonaccorso Sun, 23 Mar 2014 08:32:24 +0100 libyaml-libyaml-perl (0.41-4) unstable; urgency=medium * Team upload. * Add libyaml-string-overflow.patch patch. Addresses CVE-2013-6393 for the LibYAML embedded copy in YAML::LibYAML. * Add libyaml-node-id-hardening.patch patch. Guard against integer overflow. * Add libyaml-guard-against-overflows-in-indent-and-flow_level.patch patch. Guard against overflows in indent and flow_level. -- Salvatore Bonaccorso Sun, 23 Feb 2014 22:28:32 +0100 libyaml-libyaml-perl (0.41-3) unstable; urgency=medium * Team upload. * Revert applying libyaml-node-id-hardening.patch patch, libyaml-indent-column-overflow-v2.patch and libyaml-string-overflow.patch patch as this uncovered a regression on libyaml's side, discovered when rebuilding the packages with build-dependency on libyaml-libyaml-perl. -- Salvatore Bonaccorso Mon, 10 Feb 2014 16:16:32 +0100 libyaml-libyaml-perl (0.41-2) unstable; urgency=medium * Team upload. * Add libyaml-string-overflow.patch patch. Addresses CVE-2013-6393 for the LibYAML embedded copy in YAML::LibYAML. * Add libyaml-indent-column-overflow-v2.patch. Addresses regression for the initial patch for CVE-2013-6393. * Add libyaml-node-id-hardening.patch patch. Guard against integer overflow. * Declare compliance with Debian Policy 3.9.5 -- Salvatore Bonaccorso Sun, 09 Feb 2014 00:16:03 +0100 libyaml-libyaml-perl (0.41-1) unstable; urgency=low [ Salvatore Bonaccorso ] * Change Vcs-Git to canonical URI (git://anonscm.debian.org) * Change search.cpan.org based URIs to metacpan.org based URIs [ gregor herrmann ] * New upstream release. * Update years of copyright. * Add patch to disable maintainer helper script. * Drop build dependency on not (yet) used libyaml-dev. * Declare compliance with Debian Policy 3.9.4. -- gregor herrmann Fri, 11 Oct 2013 18:37:51 +0200 libyaml-libyaml-perl (0.38-3) unstable; urgency=low * Document copyright and license for embedded libyaml. Thanks to Niko Tyni for spotting. (Closes: #664196) * Bump debhelper build dependency to 9.20120312 to get all hardening flags. * Fix a grammatical error in the long description. -- gregor herrmann Fri, 16 Mar 2012 21:49:42 +0100 libyaml-libyaml-perl (0.38-2) unstable; urgency=medium * Team upload. [ Julián Moreno Patiño ] * Enable hardening flags. (Closes: #661548) + Switch compat level 8 to 9. + Add fix_ftbfs_hardening_flags.diff patch. + Bump debhelper version to 9. * Bump Standards-Version to 3.9.3. + Update to DEP5 copyright-format 1.0. + Add /me to debian copyright. [ Niko Tyni ] * Note that this fixes CVE-2012-1152. * Upload at urgency=medium -- Niko Tyni Sat, 10 Mar 2012 08:57:07 +0200 libyaml-libyaml-perl (0.38-1) unstable; urgency=low * New upstream release. * Update copyright years. -- gregor herrmann Tue, 10 Jan 2012 19:09:44 +0100 libyaml-libyaml-perl (0.37-1) unstable; urgency=low [ Ansgar Burchardt ] * debian/control: Convert Vcs-* fields to Git. [ Salvatore Bonaccorso ] * debian/copyright: Replace DEP5 Format-Specification URL from svn.debian.org to anonscm.debian.org URL. [ gregor herrmann ] * New upstream release. * Update copyright years for inc/Module/*. * Add /me to Uploaders. -- gregor herrmann Sat, 01 Oct 2011 17:23:11 +0200 libyaml-libyaml-perl (0.35-1) unstable; urgency=low * Team upload. * New upstream release * debian/copyright: - Update copyright years. - Explicitly point to GPL-1 license text in common-licenses. - Refer to Debian systems in general instead of only Debian GNU/Linux systems. * Bump Debhelper compat level to 8. * debian/control: Bump versioned Build-Depends on debhelper to (>= 8). * Bump Standards-Version to 3.9.2. -- Salvatore Bonaccorso Fri, 15 Apr 2011 22:41:15 +0200 libyaml-libyaml-perl (0.34-1) unstable; urgency=low * New upstream release * Update Standards-Version to 3.9.1 (no changes) * Added me to Uploaders (debian/control) and debian/copyright file -- Krzysztof Krzyżaniak (eloy) Fri, 24 Sep 2010 17:35:42 +0200 libyaml-libyaml-perl (0.33-1) unstable; urgency=low [ Jonathan Yu ] * New upstream release (Closes: #578629). * This version has fixes for Perl 5.12 * Use new 3.0 (quilt) source format * Use new DEP5 copyright format * Rewrite control description * Standards-Version 3.8.4 (drop perl version dep) * Add myself to Uploaders and Copyright [ Nathan Handler ] * debian/watch: Update to ignore development releases. [ Ryan Niebur ] * Update ryan52's email address [ gregor herrmann ] * debian/copyright: update years of upstream copyright. -- Jonathan Yu Sun, 02 May 2010 10:52:35 -0400 libyaml-libyaml-perl (0.32-1) unstable; urgency=low * Initial Release. (Closes: #531150) -- Ryan Niebur Mon, 01 Jun 2009 02:17:22 -0700 debian/control0000664000000000000000000000226012453632736010606 0ustar Source: libyaml-libyaml-perl Section: perl Priority: optional Build-Depends: debhelper (>= 9.20120312), perl Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Perl Group Uploaders: Ryan Niebur , Jonathan Yu , Krzysztof Krzyżaniak (eloy) , gregor herrmann Standards-Version: 3.9.5 Homepage: https://metacpan.org/release/YAML-LibYAML Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libyaml-libyaml-perl.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libyaml-libyaml-perl.git Package: libyaml-libyaml-perl Architecture: any Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends} Description: Perl interface to libyaml, a YAML implementation YAML::LibYAML (or YAML::XS) is a Perl interface to Kirill Siminov's libyaml library, a YAML Ain't Markup Language (YAML) implementation written in C to support the YAML 1.1 specification. The provided Dump and Load routines are compatible with the Perl YAML module (see libyaml-perl). debian/patches/0000775000000000000000000000000012453632657010634 5ustar debian/patches/CVE-2014-9130.patch0000664000000000000000000000253512453632657013255 0ustar Description: Remove invalid simple key assertion CVE-2014-9130: denial-of-service/application crash with untrusted yaml input Origin: upstream, https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2 Bug: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure Bug-Debian: https://bugs.debian.org/771365 Forwarded: no Author: Salvatore Bonaccorso Last-Update: 2014-11-29 --- a/LibYAML/scanner.c +++ b/LibYAML/scanner.c @@ -1106,13 +1106,6 @@ yaml_parser_save_simple_key(yaml_parser_ && parser->indent == (ptrdiff_t)parser->mark.column); /* - * A simple key is required only when it is the first token in the current - * line. Therefore it is always allowed. But we add a check anyway. - */ - - assert(parser->simple_key_allowed || !required); /* Impossible. */ - - /* * If the current position may start a simple key, save it. */ --- a/t/error.t +++ b/t/error.t @@ -1,4 +1,4 @@ -use t::TestYAMLTests tests => 24; +use t::TestYAMLTests tests => 25; filters { error => ['lines', 'chomp'], @@ -78,3 +78,10 @@ bad tag found for hash: 'tag:yaml.org,2002:!foo' document: 1 !line: !column: + +=== https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure ++++ yaml + x: " +" y: z ++++ error +did not find expected key debian/patches/libyaml-string-overflow.patch0000664000000000000000000000206212314622233016434 0ustar Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow This is a proposed patch from Florian Weimer for the string overflow issue. It has been ack'd by upstream. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Last-Update: 2014-01-29 --- # HG changeset patch # User Florian Weimer # Date 1389273500 -3600 # Thu Jan 09 14:18:20 2014 +0100 # Node ID a54d7af707f25dc298a7be60fd152001d2b3035b # Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow --- a/LibYAML/scanner.c +++ b/LibYAML/scanner.c @@ -2574,7 +2574,7 @@ /* Resize the string to include the head. */ - while (string.end - string.start <= (int)length) { + while ((size_t)(string.end - string.start) <= length) { if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { parser->error = YAML_MEMORY_ERROR; goto error; debian/patches/series0000664000000000000000000000033412453632660012043 0ustar fix_ftbfs_hardening_flags.diff disable-update.sh.patch libyaml-string-overflow.patch libyaml-node-id-hardening.patch libyaml-guard-against-overflows-in-indent-and-flow_level.patch CVE-2014-2525.patch CVE-2014-9130.patch debian/patches/fix_ftbfs_hardening_flags.diff0000664000000000000000000000227212314622233016617 0ustar Description: Fix ftbfs with hardening flags (CVE-2012-1152) Forwarded: https://rt.cpan.org/Ticket/Display.html?id=75365 Author: Julián Moreno Patiño Last-Update: 2012-02-28 --- a/LibYAML/perl_libyaml.c +++ b/LibYAML/perl_libyaml.c @@ -188,7 +188,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -271,7 +271,7 @@ return return_sv; load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -313,7 +313,7 @@ } else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak("%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); @@ -346,7 +346,7 @@ prefix = "!"; else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak("%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix); debian/patches/disable-update.sh.patch0000664000000000000000000000075212314622233015136 0ustar Description: disable maintainer helper script Origin: vendor Forwarded: not-needed Author: gregor herrmann Last-Update: 2013-10-11 --- a/LibYAML/Makefile.PL +++ b/LibYAML/Makefile.PL @@ -2,10 +2,10 @@ use strict; use Config; -if (-d '../.git') { - system("./update.sh") == 0 - or die "update.sh failed"; -} +#if (-d '../.git') { +# system("./update.sh") == 0 +# or die "update.sh failed"; +#} my $obj_files = join ' ', map { my $c = $_; debian/patches/libyaml-node-id-hardening.patch0000664000000000000000000000225412314622233016544 0ustar Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow This is a hardening patch also from Florian Weimer . It is not required to fix this CVE however it improves the robustness of the code against future issues by avoiding large node ID's in a central place. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Last-Update: 2014-01-29 --- # HG changeset patch # User Florian Weimer # Date 1389274355 -3600 # Thu Jan 09 14:32:35 2014 +0100 # Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 # Parent a54d7af707f25dc298a7be60fd152001d2b3035b yaml_stack_extend: guard against integer overflow diff --git a/src/api.c b/src/api.c --- a/LibYAML/api.c +++ b/LibYAML/api.c @@ -117,7 +117,12 @@ YAML_DECLARE(int) yaml_stack_extend(void **start, void **top, void **end) { - void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); + void *new_start; + + if ((char *)*end - (char *)*start >= INT_MAX / 2) + return 0; + + new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); if (!new_start) return 0; debian/patches/libyaml-guard-against-overflows-in-indent-and-flow_level.patch0000664000000000000000000000444312314622233024623 0ustar Description: Guard against overflows in indent and flow_level Origin: upstream, https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2, https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b Last-Update: 2014-02-10 Applied-Upstream: 0.1.5 --- a/LibYAML/scanner.c +++ b/LibYAML/scanner.c @@ -615,11 +615,11 @@ */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, - int number, yaml_token_type_t type, yaml_mark_t mark); +yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, + ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark); static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column); +yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column); /* * Token fetchers. @@ -1103,7 +1103,7 @@ */ int required = (!parser->flow_level - && parser->indent == (int)parser->mark.column); + && parser->indent == (ptrdiff_t)parser->mark.column); /* * A simple key is required only when it is the first token in the current @@ -1176,6 +1176,11 @@ /* Increase the flow level. */ + if (parser->flow_level == INT_MAX) { + parser->error = YAML_MEMORY_ERROR; + return 0; + } + parser->flow_level++; return 1; @@ -1206,8 +1211,8 @@ */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, - int number, yaml_token_type_t type, yaml_mark_t mark) +yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, + ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark) { yaml_token_t token; @@ -1226,6 +1231,11 @@ if (!PUSH(parser, parser->indents, parser->indent)) return 0; + if (column > INT_MAX) { + parser->error = YAML_MEMORY_ERROR; + return 0; + } + parser->indent = column; /* Create a token and insert it into the queue. */ @@ -1254,7 +1264,7 @@ static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column) +yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column) { yaml_token_t token; --- a/LibYAML/yaml_private.h +++ b/LibYAML/yaml_private.h @@ -7,6 +7,7 @@ #include #include +#include /* * Memory management. debian/patches/CVE-2014-2525.patch0000664000000000000000000000306312314622233013234 0ustar Description: CVE-2014-2525: Heap overflow when parsing YAML tags The heap overflow is caused by not properly expanding a string before writing to it in function yaml_parser_scan_uri_escapes in scanner.c. Origin: upstream Last-Update: 2014-03-23 --- a/LibYAML/scanner.c +++ b/LibYAML/scanner.c @@ -2629,6 +2629,9 @@ /* Check if it is a URI-escape sequence. */ if (CHECK(parser->buffer, '%')) { + if (!STRING_EXTEND(parser, string)) + goto error; + if (!yaml_parser_scan_uri_escapes(parser, directive, start_mark, &string)) goto error; } --- a/LibYAML/yaml_private.h +++ b/LibYAML/yaml_private.h @@ -133,9 +133,12 @@ (string).start = (string).pointer = (string).end = 0) #define STRING_EXTEND(context,string) \ - (((string).pointer+5 < (string).end) \ + ((((string).pointer+5 < (string).end) \ || yaml_string_extend(&(string).start, \ - &(string).pointer, &(string).end)) + &(string).pointer, &(string).end)) ? \ + 1 : \ + ((context)->error = YAML_MEMORY_ERROR, \ + 0)) #define CLEAR(context,string) \ ((string).pointer = (string).start, \ debian/watch0000664000000000000000000000016512314622233010221 0ustar version=3 https://metacpan.org/release/YAML-LibYAML .*/YAML-LibYAML-v?(\d[\d.-]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip)$ debian/compat0000664000000000000000000000000212314622233010364 0ustar 9 debian/source/0000775000000000000000000000000012314622233010466 5ustar debian/source/format0000664000000000000000000000001412314622233011674 0ustar 3.0 (quilt)