[Bug 1305949] [NEW] Please bump libyaml to 0.1.6 due to CVE-2014-2525

[saepia]

*** This bug is a security vulnerability ***

Public security bug reported:

Please bump libyaml to 0.1.6 due to CVE-2014-2525.

Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
in LibYAML before 0.1.6 allows context-dependent attackers to execute
arbitrary code via a long sequence of percent-encoded characters in a
URI in a YAML file.

Except many other possible attack vectors, libyaml is a rather standard
dependency for Ruby on Rails apps (the framework rely on YAML). Shipping
insecure library can obviously lead to many unwanted problems.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libyaml-0-2 0.1.4-3ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-16.36-generic 3.13.5
Uname: Linux 3.13.0-16-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: GNOME
Date: Thu Apr 10 16:39:39 2014
Dependencies:
 gcc-4.9-base 4.9-20140303-0ubuntu3
 libc6 2.19-0ubuntu2
 libgcc1 1:4.9-20140303-0ubuntu3
 multiarch-support 2.19-0ubuntu2
InstallationDate: Installed on 2014-03-08 (32 days ago)
InstallationMedia: Ubuntu-GNOME 14.04 "Trusty Tahr" - Alpha amd64 (20140226)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=pl_PL.UTF-8
 SHELL=/bin/bash
SourcePackage: libyaml
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: libyaml (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libyaml in Ubuntu.
https://bugs.launchpad.net/bugs/1305949

Title:
  Please bump libyaml to 0.1.6 due to CVE-2014-2525

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libyaml/+bug/1305949/+subscriptions