Multiple format string flaws were found in the way perl-YAML-LibYAML, Perl YAML serialization using XS and libyaml, performed: 1) error reporting by loading of general YAML stream, 2) error reporting by loading of YAML node, 3) error reporting by loading of YAML mapping into a Perl hash, and 4) error reporting by loading of YAML sequence into a Perl array. A remote attacker could provide a specially-crafted YAML document, which once processed by the perl-YAML-LibYAML interface would lead to perl-YAML-LibYAML based process crash. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661548 CPAN tickets: [2] https://rt.cpan.org/Public/Bug/Display.html?id=75365 [3] https://rt.cpan.org/Public/Bug/Display.html?id=46507 Proposed patch: [4] https://rt.cpan.org/Ticket/Attachment/920541/477607/YAML-LibYAML-0.35-format-error.patch
This issue affects the version perl-YAML-LibYAML package, as shipped with Fedora EPEL 6. -- This issue affects the versions of the perl-YAML-LibYAML package, as shipped with Fedora release of 15 and 16.
CVE Request: [5] http://www.openwall.com/lists/oss-security/2012/03/09/6
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/10/4
perl-YAML-LibYAML-0.38-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
perl-YAML-LibYAML-0.38-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
perl-YAML-LibYAML-0.38-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Created perl-YAML-LibYAML tracking bugs for this issue Affects: epel-6 [bug 836924]
perl-YAML-LibYAML-0.38-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.