diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch | 52 | ||||
| -rw-r--r-- | backport-Improve-CMake-build-system.patch | 141 | ||||
| -rw-r--r-- | fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch | 26 | ||||
| -rw-r--r-- | libyaml.spec | 85 | ||||
| -rw-r--r-- | sources | 1 |
6 files changed, 306 insertions, 0 deletions
@@ -0,0 +1 @@ +/yaml-0.2.5.tar.gz diff --git a/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch b/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch new file mode 100644 index 0000000..97b6c40 --- /dev/null +++ b/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch @@ -0,0 +1,52 @@ +From ff577b94511f9fc314435a1154f1124dccbe57ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de> +Date: Mon, 8 Apr 2024 23:32:52 +0200 +Subject: [PATCH] Fix emitter states handling when write_indicator fails + +There are cases where yaml_emitter_write_indicator fails. +In that case POP is called on emitter->indents but not on emitter->states, +which results in a leftover event in the stack, and later POP is called +on an empty emitter->indents stack. + +This commit does not fix the case of the failing yaml_emitter_write_indicator. +This is still investigated. +--- + src/emitter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/emitter.c b/src/emitter.c +index 609b28a4..0aca6c34 100644 +--- a/src/emitter.c ++++ b/src/emitter.c +@@ -759,6 +759,7 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter, + { + emitter->flow_level --; + emitter->indent = POP(emitter, emitter->indents); ++ emitter->state = POP(emitter, emitter->states); + if (emitter->canonical && !first) { + if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0)) + return 0; +@@ -767,7 +768,6 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter, + } + if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0)) + return 0; +- emitter->state = POP(emitter, emitter->states); + + return 1; + } +@@ -808,6 +808,7 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter, + return 0; + emitter->flow_level --; + emitter->indent = POP(emitter, emitter->indents); ++ emitter->state = POP(emitter, emitter->states); + if (emitter->canonical && !first) { + if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0)) + return 0; +@@ -816,7 +817,6 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter, + } + if (!yaml_emitter_write_indicator(emitter, "}", 0, 0, 0)) + return 0; +- emitter->state = POP(emitter, emitter->states); + + return 1; + } diff --git a/backport-Improve-CMake-build-system.patch b/backport-Improve-CMake-build-system.patch new file mode 100644 index 0000000..b4ee5e8 --- /dev/null +++ b/backport-Improve-CMake-build-system.patch @@ -0,0 +1,141 @@ +From fe3d086fa75a289d6e4085df6f855f4c88c8d7c2 Mon Sep 17 00:00:00 2001 +From: Jean-Christophe Fillion-Robin <jchris.fillionr@kitware.com> +Date: Thu, 30 Nov 2017 08:14:27 -0500 +Subject: [PATCH] Improve CMake build system + +New build options +----------------- + +* Add option BUILD_TESTING by default ON +See https://cmake.org/cmake/help/v2.8.12/cmake.html#module:CTest + +* Simplify library type selection using standard option BUILD_SHARED_LIBS +See https://cmake.org/cmake/help/v3.0/variable/BUILD_SHARED_LIBS.html + +yamlConfig.cmake +---------------- + +* Generate and install yamlConfig.cmake, yamlConfigVersion.cmake and yamlTargets.cmake + +* Bump CMake version and explicitly associate include dirs with targets +See https://cmake.org/cmake/help/v3.0/manual/cmake-buildsystem.7.html#include-directories-and-usage-requirements + +* Ensure building against libyaml using "find_package(yaml)" uses expected compile options: Set HAVE_CONFIG_H +as private compile option, YAML_DECLARE_STATIC as public + +Testing +------- + +* Build all examples from "tests" directory + +CMake Best practices +-------------------- + +* configure "config.h" based on version info found in CMakeLists.txt + +* Ensure buildsystem re-generation listing sources (best-practice) + +It is not recommended to use GLOB to collect a list of source files from +the source tree. If no CMakeLists.txt file changes when a source is added +or removed then the generated build system cannot know when to ask CMake +to regenerate. + +See https://cmake.org/cmake/help/v3.8/command/file.html + +Compilation warnings +-------------------- + +* Set _CRT_SECURE_NO_WARNINGS if building using VisualStudio + +This will avoid warnings like this one: + +``` +C:\projects\libyaml\tests\run-emitter.c(268): warning C4996: 'fopen': +This function or variable may be unsafe. Consider using fopen_s instead. +To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for +details. +``` + +Continuous Integration +---------------------- + +* travis: Install CMake >= 3.x using scikit-ci-addons + +* Add comments to appveyor.yml and run-tests.sh +--- + cmake/config.h.in | 4 ++ + tests/CMakeLists.txt | 27 +++++++ + yamlConfig.cmake.in | 16 +++++ + 3 files changed, 47 insertions(+), 0 deletions(-) + create mode 100644 cmake/config.h.in + create mode 100644 tests/CMakeLists.txt + create mode 100644 yamlConfig.cmake.in + +diff --git a/cmake/config.h.in b/cmake/config.h.in +new file mode 100644 +index 0000000..51e2e24 +--- /dev/null ++++ b/cmake/config.h.in +@@ -0,0 +1,4 @@ ++#define YAML_VERSION_MAJOR @YAML_VERSION_MAJOR@ ++#define YAML_VERSION_MINOR @YAML_VERSION_MINOR@ ++#define YAML_VERSION_PATCH @YAML_VERSION_PATCH@ ++#define YAML_VERSION_STRING "@YAML_VERSION_STRING@" +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +new file mode 100644 +index 0000000..d10b424 +--- /dev/null ++++ b/tests/CMakeLists.txt +@@ -0,0 +1,27 @@ ++ ++function(add_yaml_executable name) ++ add_executable(${name} ${name}.c) ++ target_link_libraries(${name} yaml) ++endfunction() ++ ++foreach(name IN ITEMS ++ example-deconstructor ++ example-deconstructor-alt ++ example-reformatter ++ example-reformatter-alt ++ run-dumper ++ run-emitter ++ run-emitter-test-suite ++ run-loader ++ run-parser ++ run-parser-test-suite ++ run-scanner ++ test-reader ++ test-version ++ ) ++ add_yaml_executable(${name}) ++endforeach() ++ ++add_test(NAME version COMMAND test-version) ++add_test(NAME reader COMMAND test-reader) ++ +diff --git a/yamlConfig.cmake.in b/yamlConfig.cmake.in +new file mode 100644 +index 0000000..dd3f8ee +--- /dev/null ++++ b/yamlConfig.cmake.in +@@ -0,0 +1,16 @@ ++# Config file for the yaml library. ++# ++# It defines the following variables: ++# yaml_LIBRARIES - libraries to link against ++ ++@PACKAGE_INIT@ ++ ++set_and_check(yaml_TARGETS "@PACKAGE_CONFIG_DIR_CONFIG@/yamlTargets.cmake") ++ ++if(NOT yaml_TARGETS_IMPORTED) ++ set(yaml_TARGETS_IMPORTED 1) ++ include(${yaml_TARGETS}) ++endif() ++ ++set(yaml_LIBRARIES yaml) ++ +-- +2.27.0 + diff --git a/fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch b/fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch new file mode 100644 index 0000000..957a0cf --- /dev/null +++ b/fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch @@ -0,0 +1,26 @@ +From 7015a5e99fecc195e36f2334b046b19abfc718c1 Mon Sep 17 00:00:00 2001 +From: panxiaohe <panxh.life@foxmail.com> +Date: Mon, 18 Apr 2022 15:26:11 +0800 +Subject: [PATCH] fix heap buffer overflow in + yaml_emitter_emit_flow_mapping_key + +--- + src/emitter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/emitter.c b/src/emitter.c +index 609b28a..a9f39ec 100644 +--- a/src/emitter.c ++++ b/src/emitter.c +@@ -806,6 +806,8 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter, + + if (event->type == YAML_MAPPING_END_EVENT) + { ++ if (STACK_EMPTY(emitter, emitter->indents)) ++ return 0; + emitter->flow_level --; + emitter->indent = POP(emitter, emitter->indents); + if (emitter->canonical && !first) { +-- +1.8.3.1 + diff --git a/libyaml.spec b/libyaml.spec new file mode 100644 index 0000000..38bd4e3 --- /dev/null +++ b/libyaml.spec @@ -0,0 +1,85 @@ +Name: libyaml +Version: 0.2.5 +Release: 7 +Summary: A C library for parsing and emitting YAML +License: MIT +URL: https://github.com/yaml/libyaml +Source0: https://github.com/yaml/libyaml/releases/download/%{version}/yaml-%{version}.tar.gz + +Patch0: fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch +Patch1: backport-Improve-CMake-build-system.patch +Patch2: backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch + +BuildRequires: gcc cmake + +%description +YAML is a data serialization format designed for human readability and +interaction with scripting languages. LibYAML is a YAML parser and +emitter written in C. + +%package devel +Summary: Development files for LibYAML applications +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use LibYAML. + +%package_help + +%prep +%autosetup -n yaml-%{version} -p1 + +%build +%cmake +%cmake_build + +%install +%cmake_install + +%check +%ctest + +%files +%license License +%doc ReadMe.md +%{_libdir}/%{name}*.so.* + + +%files devel +%{_libdir}/%{name}*.so +%{_libdir}/pkgconfig/yaml-0.1.pc +%{_includedir}/yaml.h + +%files help +%doc doc/html + +%changelog +* Sun Aug 11 2024 Funda Wang <fundawang@yeah.net> - 0.2.5-7 +- cleanup spec +- build with cmake + +* Thu Apr 25 2024 fuanan <fuanan3@h-partners.com> - 0.2.5-6 +- fix CVE-2024-3205 + +* Sat May 27 2023 fuanan <fuanan3@h-partners.com> - 0.2.5-5 +- Support cmake build system +- Modify URL and Source0 + +* Fri Nov 18 2022 chenziyang <chenziyang4@huawei.com> - 0.2.5-4 +- Fix heap buffer overflow in yaml_emitter_emit_flow_sequence_item + +* Mon Apr 18 2022 panxiaohe <panxh.life@foxmail.com> - 0.2.5-3 +- fix heap buffer overflow in yaml_emitter_emit_flow_mapping_key + +* Wed Feb 23 2022 fuanan <fuanan3@h-partners.com> - 0.2.5-2 +- fix typo in spec + +* Mon Jul 27 2020 Hugel <gengqihu1@huawei.com> - 0.2.5-1 +- update to 0.2.5 + +* Wed Mar 18 2020 Leo Fang <leofang_94@163.com> - 0.2.2-2 +- Fix overwrite the soname symlink bug in spec + +* Tue Sep 3 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.2.2-1 +- Package init @@ -0,0 +1 @@ +bb15429d8fb787e7d3f1c83ae129a999 yaml-0.2.5.tar.gz |