diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-29 12:07:47 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-29 12:08:52 +0000 |
| commit | a1e7bc74cdeac8520b201eb810464e43ed7fcd91 (patch) | |
| tree | 748f780777ee3c3456d5f2a0dc99e3809ef9511b | |
| parent | ee2aac0900826812bd1147ee76b8a4c0023a8af3 (diff) | |
| download | aports-a1e7bc74cdeac8520b201eb810464e43ed7fcd91.tar.bz2 aports-a1e7bc74cdeac8520b201eb810464e43ed7fcd91.tar.xz | |
main/yaml: security fix for CVE-2014-9130
| -rw-r--r-- | main/yaml/APKBUILD | 15 | ||||
| -rw-r--r-- | main/yaml/CVE-2014-9130.patch | 28 |
2 files changed, 38 insertions, 5 deletions
diff --git a/main/yaml/APKBUILD b/main/yaml/APKBUILD index fc8d9caf5..11291d77c 100644 --- a/main/yaml/APKBUILD +++ b/main/yaml/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=yaml pkgver=0.1.6 -pkgrel=0 +pkgrel=1 pkgdesc="YAML 1.1 parser and emitter written in C" url="http://pyyaml.org/wiki/LibYAML" arch="all" @@ -11,7 +11,9 @@ depends="" makedepends="" install="" subpackages="$pkgname-dev" -source="http://pyyaml.org/download/libyaml/yaml-$pkgver.tar.gz" +source="http://pyyaml.org/download/libyaml/yaml-$pkgver.tar.gz + CVE-2014-9130.patch + " _builddir="$srcdir"/yaml-$pkgver prepare() { @@ -45,6 +47,9 @@ package() { rm -f "$pkgdir"/usr/lib/*.la } -md5sums="5fe00cda18ca5daeb43762b80c38e06e yaml-0.1.6.tar.gz" -sha256sums="7da6971b4bd08a986dd2a61353bc422362bd0edcc67d7ebaac68c95f74182749 yaml-0.1.6.tar.gz" -sha512sums="eef1f26fec0a305836b8c6a65def4e2864fe2415618e7490717d4e42f0fc51048727ab0e7e4a6c3a2783ae762fddd6b78091a76a6cd3a2710ae18e3dfb27cd44 yaml-0.1.6.tar.gz" +md5sums="5fe00cda18ca5daeb43762b80c38e06e yaml-0.1.6.tar.gz +ec710ccf96476c5eff3eba2e412560d5 CVE-2014-9130.patch" +sha256sums="7da6971b4bd08a986dd2a61353bc422362bd0edcc67d7ebaac68c95f74182749 yaml-0.1.6.tar.gz +4255081c22c7e823dc77967efcbcb2493cac991fca3648c7d825c1bc3c25d2fa CVE-2014-9130.patch" +sha512sums="eef1f26fec0a305836b8c6a65def4e2864fe2415618e7490717d4e42f0fc51048727ab0e7e4a6c3a2783ae762fddd6b78091a76a6cd3a2710ae18e3dfb27cd44 yaml-0.1.6.tar.gz +1d6e7db8b45ba4edc3d0b89951113c908c65f7477630ab3c046d4eddc1533eb32b9840d9dbe65704c9f70958e6eeb214fdbb6f393f3fdcae011aaf09bc4c5e97 CVE-2014-9130.patch" diff --git a/main/yaml/CVE-2014-9130.patch b/main/yaml/CVE-2014-9130.patch new file mode 100644 index 000000000..00e15f32b --- /dev/null +++ b/main/yaml/CVE-2014-9130.patch @@ -0,0 +1,28 @@ +From e6aa721cc0e5a48f408c52355559fd36780ba32a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net> +Date: Fri, 28 Nov 2014 09:21:49 -0800 +Subject: [PATCH] Fix for https://bitbucket.org/xi/libyaml/issue/10/ + +https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure + +Commenting out the assert makes the scanner do the right thing and +results in just a simple parse failure. +--- + src/scanner.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/scanner.c b/src/scanner.c +index 88d4fa5..c5f3d2f 100644 +--- a/src/scanner.c ++++ b/src/scanner.c +@@ -1110,7 +1110,9 @@ yaml_parser_save_simple_key(yaml_parser_t *parser) + * line. Therefore it is always allowed. But we add a check anyway. + */ + +- assert(parser->simple_key_allowed || !required); /* Impossible. */ ++ /* XXX This caused: ++ * https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure ++ assert(parser->simple_key_allowed || !required); */ /* Impossible. */ + + /* + * If the current position may start a simple key, save it. |