1 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch
new file mode 100644
index 0000000000..2fdcba3eca
--- /dev/null
+++ b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch
@@ -0,0 +1,42 @@
+Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
+in LibYAML before 0.1.6 allows context-dependent attackers to execute
+arbitrary code via a long sequence of percent-encoded characters in a
+URI in a YAML file.
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+diff --git a/src/scanner.c.old b/src/scanner.c
+index a2e8619..c6cde3b 100644
+--- a/src/scanner.c.old
+++ b/src/scanner.c
+@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
+         /* Check if it is a URI-escape sequence. */
+ 
+         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
+             if (!yaml_parser_scan_uri_escapes(parser,
+                         directive, start_mark, &string)) goto error;
+         }
+diff --git a/src/yaml_private.h.old b/src/yaml_private.h
+index ed5ea66..d72acb4 100644
+--- a/src/yaml_private.h.old
+++ b/src/yaml_private.h
+@@ -132,9 +132,12 @@ yaml_string_join(
+      (string).start = (string).pointer = (string).end = 0)
+ 
+ #define STRING_EXTEND(context,string)                                           \
+-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
+         || yaml_string_extend(&(string).start,                                  \
+-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
+ 
+ #define CLEAR(context,string)                                                   \
+     ((string).pointer = (string).start,                                         \

diff --git a/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch new file mode 100644 index 0000000000..2fdcba3eca --- /dev/null +++ b/meta-oe/recipes-support/libyaml/files/libyaml-CVE-2014-2525.patch
@@ -0,0 +1,42 @@
	1	Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
	2	in LibYAML before 0.1.6 allows context-dependent attackers to execute
	3	arbitrary code via a long sequence of percent-encoded characters in a
	4	URI in a YAML file.
	5
	6	Upstream-Status: Backport
	7
	8	Signed-off-by: Kai Kang <kai.kang@windriver.com>
	9	---
	10	diff --git a/src/scanner.c.old b/src/scanner.c
	11	index a2e8619..c6cde3b 100644
	12	--- a/src/scanner.c.old
	13	+++ b/src/scanner.c
	14	@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
	15	/* Check if it is a URI-escape sequence. */
	16
	17	if (CHECK(parser->buffer, '%')) {
	18	+ if (!STRING_EXTEND(parser, string))
	19	+ goto error;
	20	+
	21	if (!yaml_parser_scan_uri_escapes(parser,
	22	directive, start_mark, &string)) goto error;
	23	}
	24	diff --git a/src/yaml_private.h.old b/src/yaml_private.h
	25	index ed5ea66..d72acb4 100644
	26	--- a/src/yaml_private.h.old
	27	+++ b/src/yaml_private.h
	28	@@ -132,9 +132,12 @@ yaml_string_join(
	29	(string).start = (string).pointer = (string).end = 0)
	30
	31	#define STRING_EXTEND(context,string) \
	32	- (((string).pointer+5 < (string).end) \
	33	+ ((((string).pointer+5 < (string).end) \
	34	\|\| yaml_string_extend(&(string).start, \
	35	- &(string).pointer, &(string).end))
	36	+ &(string).pointer, &(string).end)) ? \
	37	+ 1 : \
	38	+ ((context)->error = YAML_MEMORY_ERROR, \
	39	+ 0))
	40
	41	#define CLEAR(context,string) \
	42	((string).pointer = (string).start, \