[Bug 1276156] Re: CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags

Scott Kitterman ubuntu at kitterman.com
Wed Sep 3 19:27:21 UTC 2014 

** Also affects: libyaml (Ubuntu Utopic)
   Importance: Undecided
       Status: Confirmed

** Also affects: libyaml (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: libyaml (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: libyaml (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: libyaml (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: libyaml (Ubuntu Lucid)
       Status: New => Confirmed

** Changed in: libyaml (Ubuntu Trusty)
       Status: New => Fix Released

** Changed in: libyaml (Ubuntu Utopic)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libyaml in Ubuntu.
https://bugs.launchpad.net/bugs/1276156

Title:
   CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML
  tags

Status in “libyaml” package in Ubuntu:
  Fix Released
Status in “libyaml” source package in Lucid:
  Confirmed
Status in “libyaml” source package in Precise:
  Confirmed
Status in “libyaml” source package in Trusty:
  Fix Released
Status in “libyaml” source package in Utopic:
  Fix Released
Status in “libyaml” package in Debian:
  Fix Released

Bug description:
  https://bugzilla.redhat.com/show_bug.cgi?id=1033990

  "A heap-based buffer overflow flaw was found in the way libyaml parsed
  YAML tags. A remote attacker could provide a specially-crafted YAML
  document that, when parsed by an application using libyaml, would
  cause the application to crash or, potentially, execute arbitrary code
  with the privileges of the user running the application."

  Fixed in Debian package 0.1.4-2+deb7u2

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076

  That fix has been merged into Trusty already (0.1.4-3ubuntu1) but no
  others.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libyaml/+bug/1276156/+subscriptions

More information about the foundations-bugs mailing list