Date: Sat, 1 Feb 2014 20:53:20 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r342211 - head/security/vuxml Message-ID: <201402012053.s11KrKg7063442@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Sat Feb 1 20:53:19 2014 New Revision: 342211 URL: http://svnweb.freebsd.org/changeset/ports/342211 QAT: https://qat.redports.org/buildarchive/r342211/ Log: - Document libyaml vulnerability in pkg Security: CVE-2013-6393 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Feb 1 20:08:35 2014 (r342210) +++ head/security/vuxml/vuln.xml Sat Feb 1 20:53:19 2014 (r342211) @@ -51,6 +51,45 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="111f1f84-1d14-4ff2-a9ea-cf07119c0d3b"> + <topic>pkg -- libyaml heap overflow resulting in possible code execution</topic> + <affects> + <package> + <name>pkg</name> + <range><lt>1.2.6</lt></range> + </package> + <package> + <name>pkg-devel</name> + <range><lt>1.2.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>libyaml was prone to a heap overflow that could result in + arbitrary code execution. Pkg uses libyaml to parse + the package manifests in some cases. Pkg also used libyaml + to parse the remote repository until 1.2.</p> + <p>RedHat Product Security Team reports on libyaml:</p> + <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1033990">; + <p>A heap-based buffer overflow flaw was found in the way libyaml + parsed YAML tags. A remote attacker could provide a + specially-crafted YAML document that, when parsed by an application + using libyaml, would cause the application to crash or, potentially, + execute arbitrary code with the privileges of the user running the + application.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-6393</cvename> + <url>https://bugzilla.redhat.com/show_bug.cgi?id=1033990</url>; + </references> + <dates> + <discovery>2013-11-24</discovery> + <entry>2014-02-01</entry> + </dates> + </vuln> + <vuln vid="a4c9e12d-88b7-11e3-8ada-10bf48e1088e"> <topic>socat -- buffer overflow with data from command line</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402012053.s11KrKg7063442>