Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-6393

Publication date 27 January 2014

Last updated 24 July 2024


Ubuntu priority

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

Read the notes from the security team

Status

Package Ubuntu Release Status
libyaml 13.10 saucy
Fixed 0.1.4-2ubuntu0.13.10.1
13.04 raring Ignored end of life
12.10 quantal
Fixed 0.1.4-2ubuntu0.12.10.1
12.04 LTS precise
Fixed 0.1.4-2ubuntu0.12.04.1
10.04 LTS lucid Ignored end of life
libyaml-libyaml-perl 13.10 saucy
Fixed 0.38-3ubuntu0.13.10.1
12.10 quantal
Fixed 0.38-3ubuntu0.12.10.1
12.04 LTS precise
Fixed 0.38-2ubuntu0.1
10.04 LTS lucid Ignored end of life

Notes


mdeslaur

regression was introduced in USN-2098-1 redhat created three patches: libyaml-string-overflow.patch is upstream 1d73f004f49e6962cf936da98aecf0aec95c4c50 libyaml-node-id-hardening.patch seems to have been done differently upstream in b77d42277c32b58a114a0fa0968038a4b0ab24f4 libyaml-indent-column-overflow-v2.patch was done differently upstream in f859ed1eb757a3562b98a28a8ce69274bfd4b3f2 and af3599437a87162554787c52d8b16eab553f537b

References

Related Ubuntu Security Notices (USN)

    • USN-2161-1
    • libyaml-libyaml-perl vulnerabilities
    • 3 April 2014
    • USN-2098-1
    • LibYAML vulnerability
    • 4 February 2014

Other references