Version in base suite: 1.34-2 Base version: libyaml-syck-perl_1.34-2 Target version: libyaml-syck-perl_1.34-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liby/libyaml-syck-perl/libyaml-syck-perl_1.34-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liby/libyaml-syck-perl/libyaml-syck-perl_1.34-2+deb13u1.dsc changelog | 8 + patches/Address-memory-corruption-leading-to-str-value-being.patch | 68 ++++++++++ patches/series | 1 3 files changed, 77 insertions(+) diff -Nru libyaml-syck-perl-1.34/debian/changelog libyaml-syck-perl-1.34/debian/changelog --- libyaml-syck-perl-1.34/debian/changelog 2022-10-16 03:30:29.000000000 +0000 +++ libyaml-syck-perl-1.34/debian/changelog 2025-10-17 04:18:57.000000000 +0000 @@ -1,3 +1,11 @@ +libyaml-syck-perl (1.34-2+deb13u1) trixie; urgency=medium + + * Team upload. + * Address memory corruption leading to 'str' value being set on empty keys + (CVE-2025-11683) + + -- Salvatore Bonaccorso Fri, 17 Oct 2025 06:18:57 +0200 + libyaml-syck-perl (1.34-2) unstable; urgency=medium [ Jenkins ] diff -Nru libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch --- libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch 1970-01-01 00:00:00.000000000 +0000 +++ libyaml-syck-perl-1.34/debian/patches/Address-memory-corruption-leading-to-str-value-being.patch 2025-10-17 04:18:57.000000000 +0000 @@ -0,0 +1,68 @@ +From: Timothy Legge +Date: Thu, 9 Oct 2025 23:12:45 -0300 +Subject: Address memory corruption leading to 'str' value being set on empty + keys +Origin: https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02 +Bug: https://github.com/cpan-authors/YAML-Syck/pull/65 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683 + +When yaml is parsed, qstr is allocated + +In cases when the keys point to empty values there is no value + +copied to qstr and no null value is copied in +--- + perl_syck.h | 3 --- + token.c | 6 +++++- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/token.c ++++ b/token.c +@@ -1552,6 +1552,7 @@ Plain: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + SyckLevel *plvl; + int parentIndent; + +@@ -1804,6 +1805,7 @@ SingleQuote: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + SingleQuote2: + YYTOKEN = YYCURSOR; +@@ -1962,6 +1964,7 @@ DoubleQuote: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + DoubleQuote2: + YYTOKEN = YYCURSOR; +@@ -2232,6 +2235,7 @@ TransferMethod: + int qidx = 0; + int qcapa = 100; + char *qstr = S_ALLOC_N( char, qcapa ); ++ qstr[0] = '\0'; + + TransferMethod2: + YYTOKTMP = YYCURSOR; +@@ -2450,6 +2454,7 @@ ScalarBlock: + SyckLevel *lvl = CURRENT_LEVEL(); + int parentIndent = -1; + ++ qstr[0] = '\0'; + switch ( *yyt ) + { + case '|': blockType = BLOCK_LIT; break; +@@ -2472,7 +2477,6 @@ ScalarBlock: + } + } + +- qstr[0] = '\0'; + YYTOKEN = YYCURSOR; + + ScalarBlock2: diff -Nru libyaml-syck-perl-1.34/debian/patches/series libyaml-syck-perl-1.34/debian/patches/series --- libyaml-syck-perl-1.34/debian/patches/series 2022-10-16 03:30:29.000000000 +0000 +++ libyaml-syck-perl-1.34/debian/patches/series 2025-10-17 04:18:57.000000000 +0000 @@ -1 +1,2 @@ disable-compiler-check.patch +Address-memory-corruption-leading-to-str-value-being.patch