Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

LibYAML: Arbitrary code execution — GLSA 201403-02

A Vulnerability in LibYAML could result in execution of arbitrary code.

Affected packages

Package dev-libs/libyaml on all architectures
Affected versions < 0.1.5
Unaffected versions >= 0.1.5

Background

LibYAML is a YAML 1.1 parser and emitter written in C.

Description

A heap-based buffer overflow flaw was found in the way libyaml parsed YAML tags.

Impact

A remote attacker could provide a specially-crafted YAML document which when parsed by LibYAML, would cause the application to crash or, potentially, execute arbitrary code with the privileges the user who is running the application.

Workaround

There is no known workaround at this time.

Resolution

All LibYAML users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libyaml-0.1.5"

References

Release date
March 08, 2014

Latest revision
March 08, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries