Ubuntu

regression in CVE-2013-6393 patch

Reported by Marc Deslauriers on 2014-02-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libyaml (Debian)
Fix Released
Unknown
libyaml (Ubuntu)
Status tracked in Trusty
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers

Bug Description

A regression has been reported in the patch used to fix CVE-2013-6393 in USN-2098-1:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738587
https://bugzilla.redhat.com/show_bug.cgi?id=1033990

Upstream has used slightly different fixes in 0.1.5.

Changed in libyaml (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libyaml (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libyaml (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libyaml (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libyaml (Debian):
status: Unknown → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libyaml - 0.1.4-2ubuntu0.13.10.2

---------------
libyaml (0.1.4-2ubuntu0.13.10.2) saucy-security; urgency=medium

  * SECURITY REGRESSION: parsing regression in security update
    (LP: #1279805)
    - debian/patches/CVE-2013-6393.patch: updated to use upstream commits
      from 0.1.5.
 -- Marc Deslauriers <email address hidden> Thu, 13 Feb 2014 08:32:45 -0500

Changed in libyaml (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libyaml - 0.1.4-2ubuntu0.12.04.2

---------------
libyaml (0.1.4-2ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY REGRESSION: parsing regression in security update
    (LP: #1279805)
    - debian/patches/CVE-2013-6393.patch: updated to use upstream commits
      from 0.1.5.
 -- Marc Deslauriers <email address hidden> Thu, 13 Feb 2014 08:40:49 -0500

Changed in libyaml (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libyaml - 0.1.4-2ubuntu0.12.10.2

---------------
libyaml (0.1.4-2ubuntu0.12.10.2) quantal-security; urgency=medium

  * SECURITY REGRESSION: parsing regression in security update
    (LP: #1279805)
    - debian/patches/CVE-2013-6393.patch: updated to use upstream commits
      from 0.1.5.
 -- Marc Deslauriers <email address hidden> Thu, 13 Feb 2014 08:39:51 -0500

Changed in libyaml (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libyaml - 0.1.4-3ubuntu2

---------------
libyaml (0.1.4-3ubuntu2) trusty; urgency=medium

  * SECURITY REGRESSION: parsing regression in security update
    (LP: #1279805)
    - debian/patches/CVE-2013-6393.patch: use upstream commits from 0.1.5.
    - debian/patches/libyaml-string-overflow.patch: removed
    - debian/patches/libyaml-node-id-hardening.patch: removed
    - debian/patches/libyaml-indent-column-overflow-v2.patch: removed
 -- Marc Deslauriers <email address hidden> Thu, 13 Feb 2014 09:02:35 -0500

Changed in libyaml (Ubuntu Trusty):
status: New → Fix Released
Changed in libyaml (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.