CVE-2013-6393

Upstream information

CVE-2013-6393 at MITRE

Description

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

---

SUSE information

CVSS v2 Scores

	National Vulnerability Database
Base Score	6.82
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entries: 860617 [RESOLVED / FIXED], 911782 [RESOLVED / ]

SUSE Security Advisories:

• SUSE-SU-2014:0403-1, published Wed Mar 19 17:04:27 MDT 2014
• SUSE-SU-2014:0456-1, published Thu Mar 27 06:04:11 MDT 2014
• SUSE-SU-2015:0953-1, published Wed May 27 09:05:36 MDT 2015
• SUSE-SU-2015:0953-2, published Wed May 27 10:05:15 MDT 2015
• openSUSE-SU-2014:0272-1, published Fri, 21 Feb 2014 18:07:01 +0100 (CET)
• openSUSE-SU-2014:0273-1, published Fri, 21 Feb 2014 19:04:12 +0100 (CET)
• openSUSE-SU-2014:0381-1, published Mon, 17 Mar 2014 10:04:13 +0100 (CET)
• openSUSE-SU-2015:0319-1, published Wed, 18 Feb 2015 17:04:57 +0100 (CET)
• openSUSE-SU-2016:1067-1, published Sun, 17 Apr 2016 17:08:02 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Desktop 12	perl-YAML-LibYAML >= 0.38-10.1	Patchnames: SUSE-SLE-DESKTOP-12-2015-215
SUSE Linux Enterprise Server 12	perl-YAML-LibYAML >= 0.38-10.1	Patchnames: SUSE-SLE-SERVER-12-2015-215
SUSE Manager 1.7	libyaml-0-2 >= 0.1.3-0.10.12.1	Patchnames: sleman17sp2-libyaml sleman17sp2-libyaml-0-2
SUSE OpenStack Cloud 3.0	libyaml-0-2 >= 0.1.3-0.10.12.1	Patchnames: sleclo30sp3-libyaml
SUSE Studio Onsite 1.3	libyaml-0-2 >= 0.1.3-0.10.12.1	Patchnames: slestso13-libyaml slestso13-libyaml-0-2
SUSE Cloud 3	libyaml-0-2 >= 0.1.3-0.10.12.1	Builds SAT Patch Nr: 9041
SUSE Manager 1.7 for SLE 11 SP2 SUSE Studio Onsite 1.3	libyaml-0-2 >= 0.1.3-0.10.10.1	Builds SAT Patch Nr: 8990
SUSE Manager 1.7 for SLE 11 SP2 SUSE Studio Onsite 1.3	libyaml-0-2 >= 0.1.3-0.10.12.1	Builds SAT Patch Nr: 9042
openSUSE 12.3	libyaml >= 0.1.3-11.8.1 libyaml-0-2 >= 0.1.3-11.8.1 libyaml-0-2-debuginfo >= 0.1.3-11.8.1 libyaml-debugsource >= 0.1.3-11.8.1 libyaml-devel >= 0.1.3-11.8.1	Patchnames: openSUSE-2014-150 openSUSE-2014-215
openSUSE 13.1	libyaml >= 0.1.4-2.8.1 libyaml-0-2 >= 0.1.4-2.8.1 libyaml-0-2-debuginfo >= 0.1.4-2.8.1 libyaml-debugsource >= 0.1.4-2.8.1 libyaml-devel >= 0.1.4-2.8.1 perl-YAML-LibYAML >= 0.59-6.4.1 perl-YAML-LibYAML-debuginfo >= 0.59-6.4.1 perl-YAML-LibYAML-debugsource >= 0.59-6.4.1	Patchnames: openSUSE-2014-150 openSUSE-2014-215 openSUSE-2015-162
openSUSE 13.2	perl-YAML-LibYAML >= 0.59-2.4.1 perl-YAML-LibYAML-debuginfo >= 0.59-2.4.1 perl-YAML-LibYAML-debugsource >= 0.59-2.4.1	Patchnames: openSUSE-2015-162
openSUSE Evergreen 11.4	libyaml >= 0.1.3-6.1 libyaml-0-2 >= 0.1.3-6.1 libyaml-0-2-debuginfo >= 0.1.3-6.1 libyaml-debugsource >= 0.1.3-6.1 libyaml-devel >= 0.1.3-6.1	Patchnames: 2014-21
openSUSE Leap 42.1	perl-YAML-LibYAML >= 0.38-4.1 perl-YAML-LibYAML-debuginfo >= 0.38-4.1 perl-YAML-LibYAML-debugsource >= 0.38-4.1	Patchnames: openSUSE-2016-473