Bug#1118230: bookworm-pu: package libyaml-syck-perl/1.34-2+deb12u1

Salvatore Bonaccorso carnil at debian.org
Fri Oct 17 06:07:42 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libyaml-syck-perl at packages.debian.org, Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>, gregor herrmann <gregoa at debian.org>, team at security.debian.org, carnil at debian.org
Control: affects -1 + src:libyaml-syck-perl
User: release.debian.org at packages.debian.org
Usertags: pu

Hi SRM,

[ Reason ]
libyaml-syck-perl in bookworm is affected by CVE-2025-11683 which does
not warrant a DSA.

[ Impact ]
Users remain vulnerable to the address memory corruption from
CVE-2025-11683.

[ Tests ]
Done explicitly with a test case triggering the issue. Additionally
run the autopkgtests on reverse dependencies as per
https://debusine.debian.net/debian/developers/work-request/207206/ .

[ Risks ]
It is upstream/cpan-authors patch merged and targeted for the fix. So
would say rather low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,
Salvatore
-------------- next part --------------
diff -Nru libyaml-syck-perl-1.34/debian/changelog libyaml-syck-perl-1.34/debian/changelog
--- libyaml-syck-perl-1.34/debian/changelog	2022-10-16 05:30:29.000000000 +0200
+++ libyaml-syck-perl-1.34/debian/changelog	2025-10-17 06:52:50.000000000 +0200
@@ -1,3 +1,11 @@
+libyaml-syck-perl (1.34-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Address memory corruption leading to 'str' value being set on empty keys
+    (CVE-2025-11683)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 17 Oct 2025 06:52:50 +0200
+
 libyaml-syck-perl (1.34-2) unstable; urgency=medium
 
   [ Jenkins ]
diff -Nru libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch
--- libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch	1970-01-01 01:00:00.000000000 +0100
+++ libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch	2025-10-17 06:52:50.000000000 +0200
@@ -0,0 +1,68 @@
+From: Timothy Legge <timlegge at gmail.com>
+Date: Thu, 9 Oct 2025 23:12:45 -0300
+Subject: Address memory corruption leading to 'str' value being set on empty
+ keys
+Origin: https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02
+Bug: https://github.com/cpan-authors/YAML-Syck/pull/65
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683
+
+When yaml is parsed, qstr is allocated
+
+In cases when the keys point to empty values there is no value
+
+copied to qstr and no null value is copied in
+---
+ perl_syck.h | 3 ---
+ token.c     | 6 +++++-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/token.c
++++ b/token.c
+@@ -1552,6 +1552,7 @@ Plain:
+         int qidx = 0;
+         int qcapa = 100;
+         char *qstr = S_ALLOC_N( char, qcapa );
++        qstr[0] = '\0';
+         SyckLevel *plvl;
+         int parentIndent;
+ 
+@@ -1804,6 +1805,7 @@ SingleQuote:
+         int qidx = 0;
+         int qcapa = 100;
+         char *qstr = S_ALLOC_N( char, qcapa );
++        qstr[0] = '\0';
+ 
+ SingleQuote2:
+         YYTOKEN = YYCURSOR;
+@@ -1962,6 +1964,7 @@ DoubleQuote:
+         int qidx = 0;
+         int qcapa = 100;
+         char *qstr = S_ALLOC_N( char, qcapa );
++        qstr[0] = '\0';
+ 
+ DoubleQuote2:
+         YYTOKEN = YYCURSOR;
+@@ -2232,6 +2235,7 @@ TransferMethod:
+         int qidx = 0;
+         int qcapa = 100;
+         char *qstr = S_ALLOC_N( char, qcapa );
++        qstr[0] = '\0';
+ 
+ TransferMethod2:
+         YYTOKTMP = YYCURSOR;
+@@ -2450,6 +2454,7 @@ ScalarBlock:
+         SyckLevel *lvl = CURRENT_LEVEL();
+         int parentIndent = -1;
+ 
++        qstr[0] = '\0';
+         switch ( *yyt )
+         {
+             case '|': blockType = BLOCK_LIT; break;
+@@ -2472,7 +2477,6 @@ ScalarBlock:
+             }
+         }
+ 
+-        qstr[0] = '\0';
+         YYTOKEN = YYCURSOR;
+ 
+ ScalarBlock2:
diff -Nru libyaml-syck-perl-1.34/debian/patches/series libyaml-syck-perl-1.34/debian/patches/series
--- libyaml-syck-perl-1.34/debian/patches/series	2022-10-16 05:30:29.000000000 +0200
+++ libyaml-syck-perl-1.34/debian/patches/series	2025-10-17 06:52:50.000000000 +0200
@@ -1 +1,2 @@
 disable-compiler-check.patch
+Address-memory-corruption-leading-to-str-value-being.patch

More information about the pkg-perl-maintainers mailing list