aboutsummaryrefslogtreecommitdiffstats
path: root/main/yaml
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-01-29 12:07:47 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-01-29 12:07:47 +0000
commitc26ee7ddc49f3aa15cd9e0ac6c85259d5c3f186e (patch)
treee64aa105be954ae515f37ac6e4f5af20a12dca42 /main/yaml
parent308b940dd2591bfa8b77bc28343ff6a266d77d31 (diff)
downloadaports-c26ee7ddc49f3aa15cd9e0ac6c85259d5c3f186e.tar.bz2
aports-c26ee7ddc49f3aa15cd9e0ac6c85259d5c3f186e.tar.xz
main/yaml: security fix for CVE-2014-9130
ref #3771
Diffstat (limited to 'main/yaml')
-rw-r--r--main/yaml/APKBUILD15
-rw-r--r--main/yaml/CVE-2014-9130.patch28
2 files changed, 38 insertions, 5 deletions
diff --git a/main/yaml/APKBUILD b/main/yaml/APKBUILD
index fc8d9caf5a..11291d77cc 100644
--- a/main/yaml/APKBUILD
+++ b/main/yaml/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=yaml
pkgver=0.1.6
-pkgrel=0
+pkgrel=1
pkgdesc="YAML 1.1 parser and emitter written in C"
url="http://pyyaml.org/wiki/LibYAML"
arch="all"
@@ -11,7 +11,9 @@ depends=""
makedepends=""
install=""
subpackages="$pkgname-dev"
-source="http://pyyaml.org/download/libyaml/yaml-$pkgver.tar.gz"
+source="http://pyyaml.org/download/libyaml/yaml-$pkgver.tar.gz
+ CVE-2014-9130.patch
+ "
_builddir="$srcdir"/yaml-$pkgver
prepare() {
@@ -45,6 +47,9 @@ package() {
rm -f "$pkgdir"/usr/lib/*.la
}
-md5sums="5fe00cda18ca5daeb43762b80c38e06e yaml-0.1.6.tar.gz"
-sha256sums="7da6971b4bd08a986dd2a61353bc422362bd0edcc67d7ebaac68c95f74182749 yaml-0.1.6.tar.gz"
-sha512sums="eef1f26fec0a305836b8c6a65def4e2864fe2415618e7490717d4e42f0fc51048727ab0e7e4a6c3a2783ae762fddd6b78091a76a6cd3a2710ae18e3dfb27cd44 yaml-0.1.6.tar.gz"
+md5sums="5fe00cda18ca5daeb43762b80c38e06e yaml-0.1.6.tar.gz
+ec710ccf96476c5eff3eba2e412560d5 CVE-2014-9130.patch"
+sha256sums="7da6971b4bd08a986dd2a61353bc422362bd0edcc67d7ebaac68c95f74182749 yaml-0.1.6.tar.gz
+4255081c22c7e823dc77967efcbcb2493cac991fca3648c7d825c1bc3c25d2fa CVE-2014-9130.patch"
+sha512sums="eef1f26fec0a305836b8c6a65def4e2864fe2415618e7490717d4e42f0fc51048727ab0e7e4a6c3a2783ae762fddd6b78091a76a6cd3a2710ae18e3dfb27cd44 yaml-0.1.6.tar.gz
+1d6e7db8b45ba4edc3d0b89951113c908c65f7477630ab3c046d4eddc1533eb32b9840d9dbe65704c9f70958e6eeb214fdbb6f393f3fdcae011aaf09bc4c5e97 CVE-2014-9130.patch"
diff --git a/main/yaml/CVE-2014-9130.patch b/main/yaml/CVE-2014-9130.patch
new file mode 100644
index 0000000000..00e15f32b4
--- /dev/null
+++ b/main/yaml/CVE-2014-9130.patch
@@ -0,0 +1,28 @@
+From e6aa721cc0e5a48f408c52355559fd36780ba32a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>
+Date: Fri, 28 Nov 2014 09:21:49 -0800
+Subject: [PATCH] Fix for https://bitbucket.org/xi/libyaml/issue/10/
+
+https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
+
+Commenting out the assert makes the scanner do the right thing and
+results in just a simple parse failure.
+---
+ src/scanner.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/scanner.c b/src/scanner.c
+index 88d4fa5..c5f3d2f 100644
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser)
+ * line. Therefore it is always allowed. But we add a check anyway.
+ */
+
+- assert(parser->simple_key_allowed || !required); /* Impossible. */
++ /* XXX This caused:
++ * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
++ assert(parser->simple_key_allowed || !required); */ /* Impossible. */
+
+ /*
+ * If the current position may start a simple key, save it.