* [PATCH 0/1] libyaml: Fix CVE-2014-9130.
@ 2016-05-29 0:27 Leo Famulari
2016-05-29 0:27 ` [PATCH 1/1] gnu: " Leo Famulari
2016-05-29 22:15 ` [PATCH 0/1] " Ludovic Courtès
0 siblings, 2 replies; 3+ messages in thread
From: Leo Famulari @ 2016-05-29 0:27 UTC (permalink / raw)
To: guix-devel
This is a cherry-picked upstream commit [0] that fixes CVE-2014-9130 [1].
Debian used the same patch. You can find it by clicking on VCS here:
https://tracker.debian.org/pkg/libyaml
I don't link directly to that VCS because the repo is on the
maintainer's domain, so you should follow the link from Debian's domain
yourself.
[0]
https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
[1]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
Leo Famulari (1):
gnu: libyaml: Fix CVE-2014-9130.
gnu/local.mk | 1 +
gnu/packages/patches/libyaml-CVE-2014-9130.patch | 30 ++++++++++++++++++++++++
gnu/packages/web.scm | 3 ++-
3 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libyaml-CVE-2014-9130.patch
--
2.8.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] gnu: libyaml: Fix CVE-2014-9130.
2016-05-29 0:27 [PATCH 0/1] libyaml: Fix CVE-2014-9130 Leo Famulari
@ 2016-05-29 0:27 ` Leo Famulari
2016-05-29 22:15 ` [PATCH 0/1] " Ludovic Courtès
1 sibling, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2016-05-29 0:27 UTC (permalink / raw)
To: guix-devel
* gnu/packages/patches/libyaml-CVE-2014-9130.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/web.scm (libyaml): Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/libyaml-CVE-2014-9130.patch | 30 ++++++++++++++++++++++++
gnu/packages/web.scm | 3 ++-
3 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libyaml-CVE-2014-9130.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 86b56d4..746d9fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -802,6 +802,7 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-session-fix-xflock4.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
+ %D%/packages/patches/libyaml-CVE-2014-9130.patch \
%D%/packages/patches/zathura-plugindir-environment-variable.patch
MISC_DISTRO_FILES = \
diff --git a/gnu/packages/patches/libyaml-CVE-2014-9130.patch b/gnu/packages/patches/libyaml-CVE-2014-9130.patch
new file mode 100644
index 0000000..800358c
--- /dev/null
+++ b/gnu/packages/patches/libyaml-CVE-2014-9130.patch
@@ -0,0 +1,30 @@
+Fixes CVE-2014-9130
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
+
+Upstream source:
+https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
+
+# HG changeset patch
+# User Kirill Simonov <xi@resolvent.net>
+# Date 1417197312 21600
+# Node ID 2b9156756423e967cfd09a61d125d883fca6f4f2
+# Parent 053f53a381ff6adbbc93a31ab7fdee06a16c8a33
+Removed invalid simple key assertion (thank to Jonathan Gray).
+
+diff --git a/src/scanner.c b/src/scanner.c
+--- a/src/scanner.c
++++ b/src/scanner.c
+@@ -1106,13 +1106,6 @@
+ && parser->indent == (ptrdiff_t)parser->mark.column);
+
+ /*
+- * A simple key is required only when it is the first token in the current
+- * line. Therefore it is always allowed. But we add a check anyway.
+- */
+-
+- assert(parser->simple_key_allowed || !required); /* Impossible. */
+-
+- /*
+ * If the current position may start a simple key, save it.
+ */
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 03f15e8..e99ab0d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -613,7 +613,8 @@ of people.")
version ".tar.gz"))
(sha256
(base32
- "0j9731s5zjb8mjx7wzf6vh7bsqi38ay564x6s9nri2nh9cdrg9kx"))))
+ "0j9731s5zjb8mjx7wzf6vh7bsqi38ay564x6s9nri2nh9cdrg9kx"))
+ (patches (search-patches "libyaml-CVE-2014-9130.patch"))))
(build-system gnu-build-system)
(home-page "http://pyyaml.org/wiki/LibYAML")
(synopsis "YAML 1.1 parser and emitter written in C")
--
2.8.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 0/1] libyaml: Fix CVE-2014-9130.
2016-05-29 0:27 [PATCH 0/1] libyaml: Fix CVE-2014-9130 Leo Famulari
2016-05-29 0:27 ` [PATCH 1/1] gnu: " Leo Famulari
@ 2016-05-29 22:15 ` Ludovic Courtès
1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2016-05-29 22:15 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> This is a cherry-picked upstream commit [0] that fixes CVE-2014-9130 [1].
>
> Debian used the same patch. You can find it by clicking on VCS here:
> https://tracker.debian.org/pkg/libyaml
Sounds good, thank you!
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-05-29 22:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-29 0:27 [PATCH 0/1] libyaml: Fix CVE-2014-9130 Leo Famulari
2016-05-29 0:27 ` [PATCH 1/1] gnu: " Leo Famulari
2016-05-29 22:15 ` [PATCH 0/1] " Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).