Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the YAML-LibYAML CPAN distribution.

Report information
The Basics
Id: 46507
Status: resolved
Worked: 2 hours (120 min)
Priority: 0/
Queue: YAML-LibYAML
People
Owner: NAWGLAN [...] cpan.org
Requestors: jquelin [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.32
Fixed in: 0.57

History Show all quoted text
  Sat May 30 06:12:41 2009 jquelin [...] cpan.org - Ticket created
Subject: compiling with -Werror=format-security fails
mandriva defines various compilation flags, one of them being -Werror=format-security and yaml::libyaml fails to compile with this flag. attached patch fixes the problem.
Subject: format-error.patch
--- LibYAML/perl_libyaml.c.orig 2009-05-30 12:05:58.000000000 +0200 +++ LibYAML/perl_libyaml.c 2009-05-30 12:09:08.000000000 +0200 @@ -181,7 +181,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -230,12 +230,12 @@ /* Some kind of error occurred */ if (loader->event.type == YAML_NO_EVENT) - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); croak(ERRMSG "Invalid event '%d' at top level", (int) loader->event.type); load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -277,7 +277,7 @@ } else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak( "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); @@ -310,7 +310,7 @@ prefix = "!"; else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) - ) croak( + ) croak( "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix);
  Fri Apr 08 03:29:12 2011 jquelin [...] cpan.org - Correspondence added
updated patch for version 0.35
Subject: YAML-LibYAML-0.35-format-error.patch
diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c --- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c 2011-04-03 18:28:08.000000000 +0200 +++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c 2011-04-08 09:25:49.633009787 +0200 @@ -188,7 +188,7 @@ return; load_error: - croak(loader_error_msg(&loader, NULL)); + croak("%s", loader_error_msg(&loader, NULL)); } /* @@ -271,7 +271,7 @@ return return_sv; load_error: - croak(loader_error_msg(loader, NULL)); + croak("%s", loader_error_msg(loader, NULL)); } /* @@ -314,7 +314,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(hash_ref, gv_stashpv(class, TRUE)); @@ -347,7 +347,7 @@ else if (strlen(tag) <= strlen(prefix) || ! strnEQ(tag, prefix, strlen(prefix)) ) croak( - loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) + "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ); class = tag + strlen(prefix); sv_bless(array_ref, gv_stashpv(class, TRUE));
  Fri Apr 08 03:29:13 2011 jquelin [...] cpan.org - Status changed from 'new' to 'open'
  Wed Feb 08 08:06:12 2012 voegelas [...] cpan.org - Correspondence added
Debian also plans to build Perl with -Werror=format-security (see http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/105559), so it would really help if the patch provided by jquelin@cpan.org was applied to YAML::LibYAML.
  Fri Mar 09 01:03:45 2012 ntyni [...] iki.fi - Correspondence added
From: ntyni [...] iki.fi
On Sat May 30 06:12:41 2009, JQUELIN wrote: Show quoted text
> mandriva defines various compilation flags, one of them being > -Werror=format-security > > and yaml::libyaml fails to compile with this flag. attached patch fixes > the problem.
FYI, these errors cause real security issues and Debian will be issuing security updates for them. I'm not aware of a CVE id yet, but I expect one will be allocated. Please fix this as soon as possible. If you want more details, just let me know. -- Niko Tyni ntyni@debian.org
  Sat Mar 10 06:22:01 2012 ntyni [...] iki.fi - Correspondence added
From: ntyni [...] iki.fi
On Fri Mar 09 01:03:45 2012, ntyni@iki.fi wrote: Show quoted text
> On Sat May 30 06:12:41 2009, JQUELIN wrote:
> > mandriva defines various compilation flags, one of them being > > -Werror=format-security > > > > and yaml::libyaml fails to compile with this flag. attached patch fixes > > the problem.
> > FYI, these errors cause real security issues and Debian will be issuing > security updates for them. I'm not aware of a CVE id yet, but I expect > one will be allocated.
This is CVE-2012-1152. http://seclists.org/oss-sec/2012/q1/609
  Fri Jan 16 10:14:40 2015 NAWGLAN [...] cpan.org - Correspondence added 120 min
On Sat Mar 10 06:22:01 2012, ntyni@iki.fi wrote: Show quoted text
> On Fri Mar 09 01:03:45 2012, ntyni@iki.fi wrote:
> > On Sat May 30 06:12:41 2009, JQUELIN wrote:
> > > mandriva defines various compilation flags, one of them being > > > -Werror=format-security > > > > > > and yaml::libyaml fails to compile with this flag. attached patch fixes > > > the problem.
> > > > FYI, these errors cause real security issues and Debian will be issuing > > security updates for them. I'm not aware of a CVE id yet, but I expect > > one will be allocated.
> > This is CVE-2012-1152. > > http://seclists.org/oss-sec/2012/q1/609
Moved this to git-hub https://github.com/ingydotnet/yaml-libyaml-pm/issues/20 And applied modified patch to account for new versions since original patch was provided. -- Dez.
  Fri Jan 16 10:14:46 2015 NAWGLAN [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Jan 16 10:14:46 2015 NAWGLAN [...] cpan.org - Taken
  Fri Jan 16 10:14:47 2015 NAWGLAN [...] cpan.org - Fixed in 0.57 added