diff -u pyyaml-3.10/debian/changelog pyyaml-3.10/debian/changelog --- pyyaml-3.10/debian/changelog +++ pyyaml-3.10/debian/changelog @@ -1,3 +1,11 @@ +pyyaml (3.10-4ubuntu0.1) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via triggered assertion + - debian/patches/CVE-2014-9130.patch: remove assertion + - CVE-2014-9130 + + -- Steve Beattie Thu, 08 Jan 2015 18:00:30 -0800 + pyyaml (3.10-4build4) trusty; urgency=medium * No change rebuild to drop python3.3 compiled extension. diff -u pyyaml-3.10/debian/patches/series pyyaml-3.10/debian/patches/series --- pyyaml-3.10/debian/patches/series +++ pyyaml-3.10/debian/patches/series @@ -1,0 +2 @@ +CVE-2014-9130.patch only in patch2: unchanged: --- pyyaml-3.10.orig/debian/patches/CVE-2014-9130.patch +++ pyyaml-3.10/debian/patches/CVE-2014-9130.patch @@ -0,0 +1,37 @@ +# HG changeset patch +# User Kirill Simonov +# Date 1417197216 21600 +# Node ID ddf211a41bb231c365fece5599b7e484e6dc33fc +# Parent 263dff6f9664ccdc532283ba5c7b282c0e436a7b +Removed invalid simple key assertion. + +CVE-2014-9130 + +diff --git a/lib/yaml/scanner.py b/lib/yaml/scanner.py +--- a/lib/yaml/scanner.py ++++ b/lib/yaml/scanner.py +@@ -297,10 +297,6 @@ + # Check if a simple key is required at the current position. + required = not self.flow_level and self.indent == self.column + +- # A simple key is required only if it is the first token in the current +- # line. Therefore it is always allowed. +- assert self.allow_simple_key or not required +- + # The next token might be a simple key. Let's save it's number and + # position. + if self.allow_simple_key: +diff --git a/lib3/yaml/scanner.py b/lib3/yaml/scanner.py +--- a/lib3/yaml/scanner.py ++++ b/lib3/yaml/scanner.py +@@ -297,10 +297,6 @@ + # Check if a simple key is required at the current position. + required = not self.flow_level and self.indent == self.column + +- # A simple key is required only if it is the first token in the current +- # line. Therefore it is always allowed. +- assert self.allow_simple_key or not required +- + # The next token might be a simple key. Let's save it's number and + # position. + if self.allow_simple_key: