CVE-2014-9130

NameCVE-2014-9130
Descriptionscanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-109-1, DLA-110-1, DLA-127-1, DSA-3102-1, DSA-3103-1, DSA-3115-1
NVD severitymedium (attack range: remote)
Debian Bugs771365, 771366, 772815

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libyaml (PTS)wheezy, wheezy (security)0.1.4-2+deb7u5fixed
jessie0.1.6-3fixed
buster, sid, stretch0.1.7-2fixed
libyaml-libyaml-perl (PTS)wheezy, wheezy (security)0.38-3+deb7u3fixed
jessie0.41-6fixed
buster, sid, stretch0.63-2fixed
pyyaml (PTS)wheezy, wheezy (security)3.10-4+deb7u1fixed
jessie3.11-2fixed
buster, sid, stretch3.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libyamlsource(unstable)0.1.6-3medium771366
libyamlsourcesqueeze0.1.3-1+deb6u5mediumDLA-110-1
libyamlsourcewheezy0.1.4-2+deb7u5mediumDSA-3102-1
libyaml-libyaml-perlsource(unstable)0.41-6medium771365
libyaml-libyaml-perlsourcesqueeze0.33-1+squeeze4mediumDLA-109-1
libyaml-libyaml-perlsourcewheezy0.38-3+deb7u3mediumDSA-3103-1
pyyamlsource(unstable)3.11-2medium772815
pyyamlsourcesqueeze3.09-5+deb6u1mediumDLA-127-1
pyyamlsourcewheezy3.10-4+deb7u1mediumDSA-3115-1

Notes

https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
for pyyaml: might be need to be removed here (no-CVE assigned) or separate CVE
for pyyaml: https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc/raw/

Search for package or bug name: Reporting problems