Security update for perl-YAML-LibYAML

Announcement ID:	SUSE-SU-2015:0953-1
Rating:	moderate
References:	bsc#860617 bsc#868944 bsc#907809 bsc#911782
Cross-References:	CVE-2013-6393 CVE-2014-2525 CVE-2014-9130
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves three vulnerabilities and has one security fix can now be installed.

Description:

perl-YAML-LibYAML was updated to fix three security issues.

These security issues were fixed: - CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782). - CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782). - CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-215=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-215=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-215=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • perl-YAML-LibYAML-debuginfo-0.38-10.1
  • perl-YAML-LibYAML-0.38-10.1
  • perl-YAML-LibYAML-debugsource-0.38-10.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • perl-YAML-LibYAML-debuginfo-0.38-10.1
  • perl-YAML-LibYAML-0.38-10.1
  • perl-YAML-LibYAML-debugsource-0.38-10.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • perl-YAML-LibYAML-debuginfo-0.38-10.1
  • perl-YAML-LibYAML-0.38-10.1
  • perl-YAML-LibYAML-debugsource-0.38-10.1

References:

• https://www.suse.com/security/cve/CVE-2013-6393.html
• https://www.suse.com/security/cve/CVE-2014-2525.html
• https://www.suse.com/security/cve/CVE-2014-9130.html
• https://bugzilla.suse.com/show_bug.cgi?id=860617
• https://bugzilla.suse.com/show_bug.cgi?id=868944
• https://bugzilla.suse.com/show_bug.cgi?id=907809
• https://bugzilla.suse.com/show_bug.cgi?id=911782