[gentoo-announce] [ GLSA 201403-02 ] LibYAML: Arbitrary code execution - gentoo-announce

From:	Mikle Kolyada <zlogene@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201403-02 ] LibYAML: Arbitrary code execution
Date:	Sat, 08 Mar 2014 18:51:09
Message-Id:	`531B6769.2050408@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201403-02

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: LibYAML: Arbitrary code execution

9

     Date: March 08, 2014

10

     Bugs: #499920

11

       ID: 201403-02

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A Vulnerability in LibYAML could result in execution of arbitrary code.

19

20

Background

21

==========

22

23

LibYAML is a YAML 1.1 parser and emitter written in C.

24

25

Affected packages

26

=================

27

28

    -------------------------------------------------------------------

29

     Package              /     Vulnerable     /            Unaffected

30

    -------------------------------------------------------------------

31

  1  dev-libs/libyaml             < 0.1.5                    >= 0.1.5 

32

33

Description

34

===========

35

36

A heap-based buffer overflow flaw was found in the way libyaml parsed

37

YAML tags.

38

39

Impact

40

======

41

42

A remote attacker could provide a specially-crafted YAML document which

43

when parsed by LibYAML, would cause the application to crash or,

44

potentially, execute arbitrary code with the privileges the user who is

45

running the application.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All LibYAML users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=dev-libs/libyaml-0.1.5"

59

60

References

61

==========

62

63

[ 1 ] CVE-2013-6393

64

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6393

65

66

Availability

67

============

68

69

This GLSA and any updates to it are available for viewing at

70

the Gentoo Security Website:

71

72

 http://security.gentoo.org/glsa/glsa-201403-02.xml

73

74

Concerns?

75

=========

76

77

Security is a primary focus of Gentoo Linux and ensuring the

78

confidentiality and security of our users' machines is of utmost

79

importance to us. Any security concerns should be addressed to

80

security@g.o or alternatively, you may file a bug at

81

https://bugs.gentoo.org.

82

83

License

84

=======

85

86

Copyright 2014 Gentoo Foundation, Inc; referenced text

87

belongs to its owner(s).

88

89

The contents of this document are licensed under the

90

Creative Commons - Attribution / Share Alike license.

91

92

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201403-02
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: LibYAML: Arbitrary code execution
9	Date: March 08, 2014
10	Bugs: #499920
11	ID: 201403-02
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A Vulnerability in LibYAML could result in execution of arbitrary code.
19
20	Background
21	==========
22
23	LibYAML is a YAML 1.1 parser and emitter written in C.
24
25	Affected packages
26	=================
27
28	-------------------------------------------------------------------
29	Package / Vulnerable / Unaffected
30	-------------------------------------------------------------------
31	1 dev-libs/libyaml < 0.1.5 >= 0.1.5
32
33	Description
34	===========
35
36	A heap-based buffer overflow flaw was found in the way libyaml parsed
37	YAML tags.
38
39	Impact
40	======
41
42	A remote attacker could provide a specially-crafted YAML document which
43	when parsed by LibYAML, would cause the application to crash or,
44	potentially, execute arbitrary code with the privileges the user who is
45	running the application.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All LibYAML users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=dev-libs/libyaml-0.1.5"
59
60	References
61	==========
62
63	[ 1 ] CVE-2013-6393
64	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6393
65
66	Availability
67	============
68
69	This GLSA and any updates to it are available for viewing at
70	the Gentoo Security Website:
71
72	http://security.gentoo.org/glsa/glsa-201403-02.xml
73
74	Concerns?
75	=========
76
77	Security is a primary focus of Gentoo Linux and ensuring the
78	confidentiality and security of our users' machines is of utmost
79	importance to us. Any security concerns should be addressed to
80	security@g.o or alternatively, you may file a bug at
81	https://bugs.gentoo.org.
82
83	License
84	=======
85
86	Copyright 2014 Gentoo Foundation, Inc; referenced text
87	belongs to its owner(s).
88
89	The contents of this document are licensed under the
90	Creative Commons - Attribution / Share Alike license.
91
92	http://creativecommons.org/licenses/by-sa/2.5