Bug 1063867

Summary: Patch for CVE-2013-6393 introduces regression
Product: [Fedora] Fedora EPEL Reporter: John Eckersberg <jeckersb>
Component: libyamlAssignee: John Eckersberg <jeckersb>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: jeckersb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libyaml-0.1.5-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-03 20:00:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Eckersberg 2014-02-11 14:59:14 UTC 
Original report from Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738587

===
The patch libyaml-indent-column-overflow-v2.patch applied for the
update to address CVE-2013-6393 introduces a regression which can be
seen when parsing a small YAML sample file with the tests/run-parser.c
utility:

----cut---------cut---------cut---------cut---------cut---------cut-----
%YAML 1.1
--- # Indented Block
  name: John Smith
  age: 33
--- # Inline Block
{name: John Smith, age: 33}
----cut---------cut---------cut---------cut---------cut---------cut-----

Compiling run-parser.c in the source and run against this YAML file
leads with the patch applied to:

# ./run-parser ./regression.yaml 
[1] Parsing './regression.yaml': FAILURE (9 events)

Upstream indeed has addressed this part slightly different, with [1]
and [2].

 [1] https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
 [2] https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
===
Comment 1 Fedora Update System 2014-02-11 16:34:50 UTC 
libyaml-0.1.5-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/libyaml-0.1.5-1.el6
Comment 2 Fedora Update System 2014-02-11 19:22:43 UTC 
libyaml-0.1.2-6.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/libyaml-0.1.2-6.el5
Comment 3 Fedora Update System 2014-02-14 20:55:56 UTC 
Package libyaml-0.1.5-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing libyaml-0.1.5-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0525/libyaml-0.1.5-1.el6
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-03-03 20:00:11 UTC 
libyaml-0.1.2-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-03-03 20:03:28 UTC 
libyaml-0.1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.