Mandriva Linux Security Advisory : yaml (MDVSA-2015:060)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Updated yaml packages fix security vulnerabilities :

Florian Weimer of the Red Hat Product Security Team discovered a
heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and
emitter library. A remote attacker could provide a YAML document with
a specially crafted tag that, when parsed by an application using
libyaml, would cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2013-6393).

Ivan Fratric of the Google Security Team discovered a heap-based
buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and
emitter library. A remote attacker could provide a specially crafted
YAML document that, when parsed by an application using libyaml, would
cause the application to crash or, potentially, execute arbitrary code
with the privileges of the user running the application
(CVE-2014-2525).

An assertion failure was found in the way the libyaml library parsed
wrapped strings. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash
(CVE-2014-9130).

See also :

http://advisories.mageia.org/MGASA-2014-0040.html
http://advisories.mageia.org/MGASA-2014-0150.html
http://advisories.mageia.org/MGASA-2014-0508.html

Solution :

Update the affected lib64yaml-devel and / or lib64yaml0_2 packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 81943 ()

Bugtraq ID:

CVE ID: CVE-2013-6393
CVE-2014-2525
CVE-2014-9130

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now