SUSE alert openSUSE-SU-2026:0180-1 (perl-YAML-Syck)

From:
             
 
maintenance@opensuse.org
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2026:0180-1: moderate: Security update for perl-YAML-Syck
Date:
             
 
Sat, 30 May 2026 21:04:42 +0200
Message-ID:
             
 
<20260530190442.BBE8BFCE1@maintenance.suse.de>
Archive-link:
             
 
Article

   openSUSE Security Update: Security update for perl-YAML-Syck
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2026:0180-1
Rating:             moderate
References:         #1252111 #1259757 
Cross-References:   CVE-2025-11683 CVE-2026-4177
CVSS scores:
                    CVE-2025-11683 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP7
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for perl-YAML-Syck fixes the following issues:

   updated to 1.450.0 (1.45) see
   /usr/share/doc/packages/perl-YAML-Syck/Changes

   * 1.45 Apr 23 2026

       [Bug Fixes]

       - Fix: use syck_base64_free() to fix Windows "Free to wrong pool"
         crash in base64 encode/decode buffers; also plugs a memory leak (PR
         #189)
       - Fix: clear type tag on blessed scalar alias early-return so the
         stale tag no longer leaks onto the next emitted item (GH #193, PR
         #194)
       - Fix: negative float#base60 values produce wrong results; strip sign
         before accumulating and avoid negative zero for portable
         stringification (PR #191)
       - Fix: prevent memory leaks when Load/LoadJSON croak on parse errors
         (PR #192)

       [Maintenance]

       - Test: add coverage for SortKeys and JSON MaxDepth (PR #188)
       - Test: add error handling coverage for LoadFile/DumpFile (PR #190)
       - Update README

   updated to 1.440.0 (1.44) see
   /usr/share/doc/packages/perl-YAML-Syck/Changes

   * 1.44 Apr 02 2026

       [Bug Fixes]

       - Fix: positive hex and octal values parsed as 0 with ImplicitTyping
         (PR #187)
       - Fix: resolve uintptr_t redefinition error on Win64 MinGW (PR #186)

   * 1.43 Apr 01 2026

       [Bug Fixes]

       - Fix: prevent resource leaks on croak/early-return paths in Dump (PR
         #161)
       - Fix: prevent output SV leaks on croak in Dump/DumpFile callers (PR
         #163)
       - Fix: Load() in list context returns empty list for empty/undef
         input; also applies to LoadBytes and LoadUTF8 (GH #164, PR #165)
       - Fix: DumpCode serializes prototype string instead of code body (PR
         #168)
       - Fix: memory leak in !perl/scalar Load newRV_inc should be
         newRV_noinc (PR #170)
       - Fix: add pTHX_ to SAVEDESTRUCTOR_X callback for threaded Perl (GH
         #175, PR #176)
       - Fix: add TODO guard for eval_pv leak on Perl < 5.14 (GH #179, PR
         #180)
       - Fix: negative hex and octal values parsed as 0 with ImplicitTyping
         (PR #183)
       - Fix: negative int#base60 values produce unsigned wraparound (PR #185)

       [Improvements]

       - Modernize META_MERGE for CPANTS compliance (PR #162)
       - Fix hash table size handling and remove compile warnings in syck_st
         (PR #174)

       [Maintenance]

       - Restore TODO guard for Dump code leak test on Perl < 5.26 (PR #167)
       - Resolve 2010 TODO in perl_json_postprocess with test coverage (PR
         #166)
       - CI: upgrade actions to resolve Node.js 20 deprecation warnings (PR
         #177)

   * 1.42 Mar 27 2026

       [Bug Fixes]

       - Fix: replace strtok() with strpbrk() and fix sign-compare warnings
         in perl_syck.h (PR #145)
       - Fix: terminate plain scalars at document boundaries --- and ... (PR
         #150)
       - Fix: skip %TAG and %YAML directives in document header (PR #151)
       - Fix: plug SV leak when eval_pv croaks on bad perl/code blocks (PR
         #153)
       - Fix: allow non-specific tag '!' before block scalars (GH #27, PR
         #102)
       - Fix: remove spurious %type <nodeId> for indent_open in gram.y (GH
         #157, PR #158)
       - Fix: use modern bison %define api.prefix directive (GH #159, PR #160)

       [Improvements]

       - Implement YAML merge key (<<) support (PR #149)

       [Maintenance]

       - Remove dead Perl 5.6/5.8 version guards from test files (PR #146)
       - Add YAML 1.0 spec compliance audit and coverage tests (PR #148)
       - Add comprehensive round-trip tests for YAML 1.0 spec features (PR
         #152)
       - Remove unneeded TODO in t/json-basic.t (PR #154)
       - Add regex Dump/Load/round-trip tests to perl tag scheme (PR #155)
       - Do not require a .y file to build YAML::Syck; add brew support for
         bison
       - Don't ship docs/ directory in tarball

   * 1.41 Mar 22 2026

       [Bug Fixes]

       - Fix float parsing on -Dusequadmath perls: use Perl's Atof() instead
         of strtod() so that floats like -3.14 are not corrupted by
         double-precision rounding artifacts (GH #140, PR #141)

   * 1.39 Mar 21 2026

       [Bug Fixes]

       - Fix t/yaml-implicit-typing.t failure with -Duselongdouble perls (GH
         #138, PR #139)

   * 1.38 Mar 20 2026

       [Bug Fixes]

       - Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety (GH
         #125, PR #130)
       - Fix: anchor tracking for blessed scalar refs in Dump (GH #126, PR
         #131)
       - Fix: prevent buffer underflow in base60 (sexagesimal) parsing (PR
         #133)
       - Fix: guard against NULL type from strtok in tag parsing (PR #135)
       - Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (PR
         #137)

       [Improvements]

       - Resolve TODO tests for empty/invalid YAML to match actual behavior
         (GH #127, PR #129)

       [Maintenance]

       - Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (PR #129)
       - Add comprehensive implicit type resolution test suite (PR #137)
       - Update MANIFEST to include all unit tests
       - Clean up test names to remove unnecessary numbering

   * 1.37 Mar 18 2026

       [Features]

       - Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH #51)

       [Fixes]

       - Fix heap buffer overflow in the YAML emitter - CVE-2026-4177 (GH
         #67) boo#1259757
       - Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH #22)
       - Fix _is_glob to recognize IO::Handle subclasses (GH #23)
       - Fix memory leak when dumping filehandles (GH #42)
       - Fix dumping of tied hashes (GH #31)
       - Fix dumping strings starting with '...' as unquoted plain scalars
         (GH #34)
       - Fix dumping strings with tabs and carriage returns as plain scalars
         (GH #59)
       - Fix double-dash YAML parsing (GH #35)
       - Fix extra newline after empty arrays/hashes in YAML output (GH #36)
       - Remove trailing whitespace from YAML output lines (GH #37, #38, #39)
       - Fix quoting of \r and \t in YAML output instead of emitting raw
         bytes (GH #40)
       - Fix growing !!perl/regexp objects in roundtrips (GH #43)
       - Fix quoted '=' being transformed into 'str' (GH #45)
       - Fix backslash-space escape in double-quoted YAML strings (GH #61)
       - Fix flow sequence comma separator not recognized without trailing
         space (GH #60)
       - Fix wide character warning in DumpFile (GH #28)
       - Fix inline arrays without space after comma (GH #25)
       - Fix: quote strings matching YAML implicit types to prevent roundtrip
         failures (GH #26)
       - Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH
         #21)
       - Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH
         #30)
       - Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH
         #104)
       - Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH #98)
       - Fix: handle JSON escape sequences in SingleQuote mode Load (GH #99)
       - Fix: restore Perl 5.8 compatibility in test suite (GH #121)
       - Fix: correct copy-paste error in Makefile.PL clean target (GH #101)
       - Fix: correct $SortKeys POD default from false to true (GH #100)
       - Fix: correct POD documentation errors (GH #103)

       [Maintenance]

       - Add C23-compatible function prototypes for GCC 15 compatibility (GH
         #112)
       - Silence macOS compiler warnings (GH #92)
       - Guard stdint.h include for portability (HP-UX 11.11) (GH #33)
       - Guard stdint.h include in syck_st.h for portability (GH #24)
       - Update ppport.h to 3.68
       - Add regression tests for magical variable dumping (GH #32)
       - CI: modernize GitHub Actions workflow (GH #123, #124)
       - CI: add disttest job to validate MANIFEST completeness

   updated to 1.360.0 (1.36) see
   /usr/share/doc/packages/perl-YAML-Syck/Changes

   * 1.36 Oct 10 2025

     - Address memory corruption leading to 'str' value being set on empty
       keys Thanks @timlegge CVE-2025-11683 boo#1252111

   * 1.35 Oct 9 2025

     - Address parsing error related to string detection on read for empty
       strings.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP7:

      zypper in -t patch openSUSE-2026-180=1



Package List:

   - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

      perl-YAML-Syck-1.450.0-bp157.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2025-11683.html
   https://www.suse.com/security/cve/CVE-2026-4177.html
   https://bugzilla.suse.com/1252111
   https://bugzilla.suse.com/1259757