Fedora alert FEDORA-2026-a8d89d8ae2 (perl-YAML-Syck)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 44 Update: perl-YAML-Syck-1.39-1.fc44 | |
| Date: | Tue, 31 Mar 2026 00:27:26 +0000 | |
| Message-ID: | <20260331002726.7C57977660@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-a8d89d8ae2 2026-03-31 00:16:35.926016+00:00 -------------------------------------------------------------------------------- Name : perl-YAML-Syck Product : Fedora 44 Version : 1.39 Release : 1.fc44 URL : https://metacpan.org/release/YAML-Syck Summary : Fast, lightweight YAML loader and dumper Description : This module provides a Perl interface to the libsyck data serialization library. It exports the Dump and Load functions for converting Perl data structures to YAML strings, and the other way around. -------------------------------------------------------------------------------- Update Information: YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 22 2026 Paul Howarth <paul@city-fan.org> - 1.39-1 - Update to 1.39 Bug Fixes: - Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety (GH#125, GH#130) - Fix: anchor tracking for blessed scalar refs in Dump (GH#126, GH#131) - Fix: prevent buffer underflow in base60 (sexagesimal) parsing (GH#133) - Fix: guard against NULL type from strtok in tag parsing (GH#135) - Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (GH#137) - Fix t/yaml-implicit-typing.t failure with -Duselongdouble perls (GH#138, GH#139) Improvements: - Resolve TODO tests for empty/invalid YAML to match actual behaviour (GH#127, GH#129) Maintenance: - Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (GH#129) - Add comprehensive implicit type resolution test suite (GH#137) - Update MANIFEST to include all unit tests - Clean up test names to remove unnecessary numbering * Thu Mar 19 2026 Paul Howarth <paul@city-fan.org> - 1.37-1 - Update to 1.37 Features: - Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH#51) Fixes: - Fix heap buffer overflow in the YAML emitter - CVE-2026-4177 (GH#67) - Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH#22) - Fix _is_glob to recognize IO::Handle subclasses (GH#23) - Fix memory leak when dumping filehandles (CPAN RT#41199, GH#42) - Fix dumping of tied hashes (GH#31) - Fix dumping strings starting with '...' as unquoted plain scalars (GH#34) - Fix dumping strings with tabs and carriage returns as plain scalars (GH#59) - Fix double-dash YAML parsing (RT#34073, GH#35) - Fix extra newline after empty arrays/hashes in YAML output (GH#36) - Remove trailing whitespace from YAML output lines (GH#37, GH#38, GH#39) - Fix quoting of \r and \t in YAML output instead of emitting raw bytes (GH#40) - Fix growing !!perl/regexp objects in round-trips (GH#43) - Fix quoted '=' being transformed into 'str' (GH#45) - Fix backslash-space escape in double-quoted YAML strings (GH#61) - Fix flow sequence comma separator not recognized without trailing space (GH#60) - Fix wide character warning in DumpFile (GH#28) - Fix inline arrays without space after comma (GH#25) - Fix: quote strings matching YAML implicit types to prevent round-trip failures (GH#26) - Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH#21) - Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH#30) - Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH#104) - Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH#98) - Fix: handle JSON escape sequences in SingleQuote mode Load (GH#99) - Fix: restore Perl 5.8 compatibility in test suite (GH#121) - Fix: correct copy-paste error in Makefile.PL clean target (GH#101) - Fix: correct $SortKeys POD default from false to true (GH#100) - Fix: correct POD documentation errors (GH#103) Maintenance: - Add C23-compatible function prototypes for GCC 15 compatibility (GH#112) - Silence macOS compiler warnings (GH#92) - Guard stdint.h include for portability (HP-UX 11.11) (GH#33) - Guard stdint.h include in syck_st.h for portability (GH#24) - Update ppport.h to 3.68 - Add regression tests for magical variable dumping (GH#32) - CI: modernize GitHub Actions workflow (GH#123, GH#124) - CI: add disttest job to validate MANIFEST completeness - Use %{make_build} and %{make_install} - Drop workaround for C23 incompatibility -------------------------------------------------------------------------------- References: [ 1 ] Bug #2448281 - CVE-2026-4177 perl-YAML-Syck: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2448281 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-a8d89d8ae2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new