[SECURITY] [DSA 2850-1] libyaml security update

2014-01-3121:25:45

lists.debian.org

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.031 Low

EPSS

Percentile

90.9%

JSON

Debian Security Advisory DSA-2850-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
January 31, 2014 http://www.debian.org/security/faq

Package : libyaml
Vulnerability : heap-based buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2013-6393
Debian Bug : 737076

Florian Weimer of the Red Hat Product Security Team discovered a
heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and
emitter library. A remote attacker could provide a YAML document with a
specially-crafted tag that, when parsed by an application using libyaml,
would cause the application to crash or, potentially, execute arbitrary
code with the privileges of the user running the application.

For the oldstable distribution (squeeze), this problem has been fixed in
version 0.1.3-1+deb6u2.

For the stable distribution (wheezy), this problem has been fixed in
version 0.1.4-2+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 0.1.4-3.

We recommend that you upgrade your libyaml packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6mipsellibyaml-0-2< 0.1.3-1+deb6u2libyaml-0-2_0.1.3-1+deb6u2_mipsel.deb
Debian7armhflibyaml-0-2-dbg< 0.1.4-2+deb7u2libyaml-0-2-dbg_0.1.4-2+deb7u2_armhf.deb
Debian6ia64libyaml-libyaml-perl< 0.33-1+squeeze2libyaml-libyaml-perl_0.33-1+squeeze2_ia64.deb
Debian7i386libyaml-0-2< 0.1.4-2+deb7u2libyaml-0-2_0.1.4-2+deb7u2_i386.deb
Debian6amd64libyaml-0-2< 0.1.3-1+deb6u2libyaml-0-2_0.1.3-1+deb6u2_amd64.deb
Debian7powerpclibyaml-0-2< 0.1.4-2+deb7u2libyaml-0-2_0.1.4-2+deb7u2_powerpc.deb
Debian7ia64libyaml-0-2-dbg< 0.1.4-2+deb7u2libyaml-0-2-dbg_0.1.4-2+deb7u2_ia64.deb
Debian7sparclibyaml-0-2< 0.1.4-2+deb7u2libyaml-0-2_0.1.4-2+deb7u2_sparc.deb
Debian6i386libyaml-libyaml-perl< 0.33-1+squeeze2libyaml-libyaml-perl_0.33-1+squeeze2_i386.deb
Debian7powerpclibyaml-libyaml-perl< 0.38-3+deb7u1libyaml-libyaml-perl_0.38-3+deb7u1_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	mipsel	libyaml-0-2	< 0.1.3-1+deb6u2	libyaml-0-2_0.1.3-1+deb6u2_mipsel.deb
Debian	7	armhf	libyaml-0-2-dbg	< 0.1.4-2+deb7u2	libyaml-0-2-dbg_0.1.4-2+deb7u2_armhf.deb
Debian	6	ia64	libyaml-libyaml-perl	< 0.33-1+squeeze2	libyaml-libyaml-perl_0.33-1+squeeze2_ia64.deb
Debian	7	i386	libyaml-0-2	< 0.1.4-2+deb7u2	libyaml-0-2_0.1.4-2+deb7u2_i386.deb
Debian	6	amd64	libyaml-0-2	< 0.1.3-1+deb6u2	libyaml-0-2_0.1.3-1+deb6u2_amd64.deb
Debian	7	powerpc	libyaml-0-2	< 0.1.4-2+deb7u2	libyaml-0-2_0.1.4-2+deb7u2_powerpc.deb
Debian	7	ia64	libyaml-0-2-dbg	< 0.1.4-2+deb7u2	libyaml-0-2-dbg_0.1.4-2+deb7u2_ia64.deb
Debian	7	sparc	libyaml-0-2	< 0.1.4-2+deb7u2	libyaml-0-2_0.1.4-2+deb7u2_sparc.deb
Debian	6	i386	libyaml-libyaml-perl	< 0.33-1+squeeze2	libyaml-libyaml-perl_0.33-1+squeeze2_i386.deb
Debian	7	powerpc	libyaml-libyaml-perl	< 0.38-3+deb7u1	libyaml-libyaml-perl_0.38-3+deb7u1_powerpc.deb