Bug 836924 - CVE-2012-1152 perl-YAML-LibYAML: Multiple format string flaws by reporting errors during YAML document load [epel-6]
CVE-2012-1152 perl-YAML-LibYAML: Multiple format string flaws by reporting er...
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: perl-YAML-LibYAML (Show other bugs)
el6
All Linux
low Severity low
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: CVE-2012-1152
  Show dependency treegraph
 
Reported: 2012-07-02 03:54 EDT by Huzaifa S. Sidhpurwala
Modified: 2012-07-21 08:35 EDT (History)
2 users (show)

See Also:
Fixed In Version: perl-YAML-LibYAML-0.38-3.el6
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-21 08:35:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2012-07-02 03:54:35 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=801738

epel-6 tracking bug for perl-YAML-LibYAML: see blocks bug list for full details of the security issue(s).

[bug automatically created by: add-tracking-bugs]
Comment 1 Paul Howarth 2012-07-02 05:50:07 EDT
I have a fix for this (basically updating the package in EPEL-6 to the same as was built for Fedora in April), which I could build if tremble is OK with that.
Comment 2 Huzaifa S. Sidhpurwala 2012-07-05 00:00:13 EDT
(In reply to comment #1)
> I have a fix for this (basically updating the package in EPEL-6 to the same
> as was built for Fedora in April), which I could build if tremble is OK with
> that.

Ok you could backport the patch, the patch looks pretty simple to me :)
Comment 3 Paul Howarth 2012-07-05 04:16:10 EDT
(In reply to comment #2)
> (In reply to comment #1)
> > I have a fix for this (basically updating the package in EPEL-6 to the same
> > as was built for Fedora in April), which I could build if tremble is OK with
> > that.
> 
> Ok you could backport the patch, the patch looks pretty simple to me :)

Well I could, but there are other fixes in the current version that would be useful and don't seem to break anything else too...
Comment 4 Huzaifa S. Sidhpurwala 2012-07-05 04:29:45 EDT
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > I have a fix for this (basically updating the package in EPEL-6 to the same
> > > as was built for Fedora in April), which I could build if tremble is OK with
> > > that.
> > 
> > Ok you could backport the patch, the patch looks pretty simple to me :)
> 
> Well I could, but there are other fixes in the current version that would be
> useful and don't seem to break anything else too...

Then you really should go ahead with the upgrade!
Comment 5 Paul Howarth 2012-07-05 04:33:54 EDT
Well I would, except that I'm not the EPEL-6 maintainer, tremble is. Now I could do it as a provenpackager but I'd run the risk of making a change that the maintainer didn't want to do for some reason, so I'd prefer to see some feedback from tremble first really.
Comment 6 Red Hat Production Operations 2012-07-05 09:13:50 EDT
Paul, sorry I missed your comment,

I was trying to backport the fix, but I hit a few issues and a lack of time.  Go for the update.

FYI: I am not overly protective of "my" packages, feel free to update especially for Security bugs.
Comment 7 Paul Howarth 2012-07-05 09:15:19 EDT
(In reply to comment #6, by Red Hat Production Operations)
> Paul, sorry I missed your comment,
> 
> I was trying to backport the fix, but I hit a few issues and a lack of time.
> Go for the update.
> 
> FYI: I am not overly protective of "my" packages, feel free to update
> especially for Security bugs.

tremble, is that you?
Comment 8 Mark Chappell 2012-07-05 09:16:58 EDT
Oops wrong account.

Paul, sorry I missed your comment,

I was trying to backport the fix, but I hit a few issues and a lack of time.  Go for the update.

FYI: I am not overly protective of "my" packages, feel free to update especially for Security bugs.
Comment 9 Fedora Update System 2012-07-05 10:20:47 EDT
perl-YAML-LibYAML-0.38-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/perl-YAML-LibYAML-0.38-3.el6
Comment 10 Fedora Update System 2012-07-20 20:22:15 EDT
perl-YAML-LibYAML-0.38-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.