Skip Menu |
 

This queue is for tickets about the YAML-LibYAML CPAN distribution.

Report information
The Basics
Id: 46507
Status: open
Priority: 0/
Queue: YAML-LibYAML

People
Owner: Nobody in particular
Requestors: jquelin [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.32
Fixed in: (no value)



Subject: compiling with -Werror=format-security fails
Download (untitled) / with headers
text/plain 171b
mandriva defines various compilation flags, one of them being -Werror=format-security and yaml::libyaml fails to compile with this flag. attached patch fixes the problem.
Subject: format-error.patch
Download format-error.patch
text/x-diff 1.2k
--- LibYAML/perl_libyaml.c.orig 2009-05-30 12:05:58.000000000 +0200 +++ LibYAML/perl_libyaml.c 2009-05-30 12:09:08.000000000 +0200 @@ -181,7 +181,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -230,12 +230,12 @@ /* Some kind of error occurred */ if (loader->event.type == YAML_NO_EVENT) - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); croak(ERRMSG "Invalid event '%d' at top level", (int) loader->event.type); load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -277,7 +277,7 @@ } else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak( "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); @@ -310,7 +310,7 @@ prefix = "!"; else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak( "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix);
updated patch for version 0.35
Subject: YAML-LibYAML-0.35-format-error.patch
diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c --- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c 2011-04-03 18:28:08.000000000 +0200 +++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c 2011-04-08 09:25:49.633009787 +0200 @@ -188,7 +188,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -271,7 +271,7 @@ return return_sv; load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -314,7 +314,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(hash_ref, gv_stashpv(class, TRUE)); @@ -347,7 +347,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(array_ref, gv_stashpv(class, TRUE));
Download (untitled) / with headers
text/plain 230b
Debian also plans to build Perl with -Werror=format-security (see http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/105559), so it would really help if the patch provided by jquelin@cpan.org was applied to YAML::LibYAML.
From: ntyni [...] iki.fi
Download (untitled) / with headers
text/plain 506b
On Sat May 30 06:12:41 2009, JQUELIN wrote: Show quoted text
> mandriva defines various compilation flags, one of them being > -Werror=format-security > > and yaml::libyaml fails to compile with this flag. attached patch fixes > the problem.
FYI, these errors cause real security issues and Debian will be issuing security updates for them. I'm not aware of a CVE id yet, but I expect one will be allocated. Please fix this as soon as possible. If you want more details, just let me know. -- Niko Tyni ntyni@debian.org
From: ntyni [...] iki.fi
Download (untitled) / with headers
text/plain 529b
On Fri Mar 09 01:03:45 2012, ntyni@iki.fi wrote: Show quoted text
> On Sat May 30 06:12:41 2009, JQUELIN wrote:
> > mandriva defines various compilation flags, one of them being > > -Werror=format-security > > > > and yaml::libyaml fails to compile with this flag. attached patch fixes > > the problem.
> > FYI, these errors cause real security issues and Debian will be issuing > security updates for them. I'm not aware of a CVE id yet, but I expect > one will be allocated.
This is CVE-2012-1152. http://seclists.org/oss-sec/2012/q1/609


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.