CVE-2014-9130

Publication date 8 December 2014

Last updated 24 July 2024

Ubuntu priority

scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libyaml	14.10 utopic	Fixed 0.1.6-1ubuntu0.1
	14.04 LTS trusty	Fixed 0.1.4-3ubuntu3.1
	12.04 LTS precise	Fixed 0.1.4-2ubuntu0.12.04.4
	10.04 LTS lucid	Ignored end of life
libyaml-libyaml-perl	14.10 utopic	Fixed 0.41-5ubuntu0.14.10.1
	14.04 LTS trusty	Fixed 0.41-5ubuntu0.14.04.1
	12.04 LTS precise	Fixed 0.38-2ubuntu0.2
	10.04 LTS lucid	Ignored end of life
pyyaml	14.10 utopic	Fixed 3.11-1ubuntu0.1
	14.04 LTS trusty	Fixed 3.10-4ubuntu0.1
	12.04 LTS precise	Fixed 3.10-2ubuntu0.1
	10.04 LTS lucid	Ignored end of life

Notes

seth-arnold

pyyaml may receive its own CVE

mdeslaur

perl PoC: http://www.openwall.com/lists/oss-security/2014/11/28/6

sbeattie

ruby1.9+ uses libyaml-0-2, so it's fixed when libyaml is fixed

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libyaml	Upstream: https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
pyyaml	Upstream: https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc

References

Related Ubuntu Security Notices (USN)

USN-2461-1
LibYAML vulnerability
12 January 2015

USN-2461-3
PyYAML vulnerability
12 January 2015