Advisories » MGASA-2014-0154

Updated perl-YAML-LibYAML package fixes security vulnerabilies

Publication date: 03 Apr 2014
Modification date: 03 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-6393 , CVE-2014-2525

Description

Updated perl-YAML-LibYAML packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

Ivan Fratric of the Google Security Team discovered a heap-based buffer
overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter
library. A remote attacker could provide a specially-crafted YAML document
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2014-2525).

The perl-YAML-LibYAML package is being updated as it contains an embedded copy
of LibYAML.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12984
• http://www.debian.org/security/2014/dsa-2885
• http://www.debian.org/security/2014/dsa-2870
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525

SRPMS

4/core

• perl-YAML-LibYAML-0.410.0-2.2.mga4

3/core

• perl-YAML-LibYAML-0.380.0-3.2.mga3