CVE-2014-9130

Name	CVE-2014-9130
Description	scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-109-1, DLA-110-1, DLA-127-1, DSA-3102-1, DSA-3103-1, DSA-3115-1
Debian Bugs	771365, 771366, 772815

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libyaml (PTS)	buster	0.2.1-1	fixed
	bullseye	0.2.2-1	fixed
	sid, trixie, bookworm	0.2.5-1	fixed
libyaml-libyaml-perl (PTS)	buster	0.76+repack-1	fixed
	bullseye	0.82+repack-1	fixed
	bookworm	0.86+ds-1	fixed
	sid, trixie	0.89+ds-1	fixed
pyyaml (PTS)	buster	3.13-2	fixed
	bullseye	5.3.1-5	fixed
	bookworm	6.0-3	fixed
	sid, trixie	6.0.1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
libyaml	source	squeeze	0.1.3-1+deb6u5	DLA-110-1
libyaml	source	wheezy	0.1.4-2+deb7u5	DSA-3102-1
libyaml	source	(unstable)	0.1.6-3		771366
libyaml-libyaml-perl	source	squeeze	0.33-1+squeeze4	DLA-109-1
libyaml-libyaml-perl	source	wheezy	0.38-3+deb7u3	DSA-3103-1
libyaml-libyaml-perl	source	(unstable)	0.41-6		771365
pyyaml	source	squeeze	3.09-5+deb6u1	DLA-127-1
pyyaml	source	wheezy	3.10-4+deb7u1	DSA-3115-1
pyyaml	source	(unstable)	3.11-2		772815

Notes

https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
for pyyaml: might be need to be removed here (no-CVE assigned) or separate CVE
for pyyaml: https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc/raw/