Ubuntu
libyaml package

CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags

Bug #1276156 reported by John Leach
292
This bug affects 6 people
Affects Status Importance Assigned to Milestone
libyaml (Debian)
Fix Released
Unknown
libyaml (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Won't Fix
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

https://bugzilla.redhat.com/show_bug.cgi?id=1033990

"A heap-based buffer overflow flaw was found in the way libyaml parsed YAML tags. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application."

Fixed in Debian package 0.1.4-2+deb7u2

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076

That fix has been merged into Trusty already (0.1.4-3ubuntu1) but no others.

CVE References

John Leach (johnleach)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libyaml (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in libyaml (Debian):
status: Unknown → Fix Released
Revision history for this message
somekool (somekool) wrote :

I'd appreciate package updates for 12.04 and 13.04

thanks

Scott Kitterman (kitterman)
Changed in libyaml (Ubuntu Precise):
status: New → Confirmed
Changed in libyaml (Ubuntu Lucid):
status: New → Confirmed
Changed in libyaml (Ubuntu Trusty):
status: New → Fix Released
Changed in libyaml (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in libyaml (Ubuntu Lucid):
status: Confirmed → Won't Fix
Revision history for this message
Mathew Hodson (mhodson) wrote :

https://usn.ubuntu.com/usn/usn-2098-1/

Changed in libyaml (Ubuntu Precise):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
no longer affects: libyaml (Ubuntu Trusty)
no longer affects: libyaml (Ubuntu Utopic)
Changed in libyaml (Ubuntu):
importance: Undecided → Medium
Changed in libyaml (Ubuntu Lucid):
importance: Undecided → Medium
Changed in libyaml (Ubuntu Precise):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.