User: Password:
Subscribe / Log in / New account

Fedora alert FEDORA-2014-4548 (perl-YAML-LibYAML)

Subject:  [SECURITY] Fedora 20 Update: perl-YAML-LibYAML-0.41-4.fc20
Date:  Mon, 07 Apr 2014 03:24:16 +0000
Message-ID:  <>

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2014-4548 2014-03-30 05:17:33 -------------------------------------------------------------------------------- Name : perl-YAML-LibYAML Product : Fedora 20 Version : 0.41 Release : 4.fc20 URL : Summary : Perl YAML Serialization using XS and libyaml Description : Kirill Siminov's "libyaml" is arguably the best YAML implementation. The C library is written precisely to the YAML 1.1 specification. It was originally bound to Python and was later bound to Ruby. -------------------------------------------------------------------------------- Update Information: This update addressed two security issues. CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow. CVE-2014-2525: The library is affected by a heap-based buffer overflow which can lead to arbitrary code execution. The vulnerability is caused by lack of proper expansion for the string passed to the yaml_parser_scan_uri_escapes() function. A specially crafted YAML file, with a long sequence of percent-encoded characters in a URL, can be used to trigger the overflow. -------------------------------------------------------------------------------- ChangeLog: * Thu Mar 27 2014 Paul Howarth <> - 0.41-4 - Fix LibYAML input sanitization errors (CVE-2014-2525) - Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1078083 - CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs [ 2 ] Bug #1033990 - CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update perl-YAML-LibYAML' at the command line. For more information, refer to "Managing Software with yum", available at All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds