1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From: Timothy Legge <timlegge@gmail.com>
Date: Thu, 9 Oct 2025 23:12:45 -0300
Subject: Address memory corruption leading to 'str' value being set on empty
keys
Origin: https://github.com/cpan-authors/YAML-Syck/commit/dcf4c8477b82ef439f43fd20dc099082d096df02
Bug: https://github.com/cpan-authors/YAML-Syck/pull/65
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11683
When yaml is parsed, qstr is allocated
In cases when the keys point to empty values there is no value
copied to qstr and no null value is copied in
---
perl_syck.h | 3 ---
token.c | 6 +++++-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/token.c
+++ b/token.c
@@ -1552,6 +1552,7 @@ Plain:
int qidx = 0;
int qcapa = 100;
char *qstr = S_ALLOC_N( char, qcapa );
+ qstr[0] = '\0';
SyckLevel *plvl;
int parentIndent;
@@ -1804,6 +1805,7 @@ SingleQuote:
int qidx = 0;
int qcapa = 100;
char *qstr = S_ALLOC_N( char, qcapa );
+ qstr[0] = '\0';
SingleQuote2:
YYTOKEN = YYCURSOR;
@@ -1962,6 +1964,7 @@ DoubleQuote:
int qidx = 0;
int qcapa = 100;
char *qstr = S_ALLOC_N( char, qcapa );
+ qstr[0] = '\0';
DoubleQuote2:
YYTOKEN = YYCURSOR;
@@ -2232,6 +2235,7 @@ TransferMethod:
int qidx = 0;
int qcapa = 100;
char *qstr = S_ALLOC_N( char, qcapa );
+ qstr[0] = '\0';
TransferMethod2:
YYTOKTMP = YYCURSOR;
@@ -2450,6 +2454,7 @@ ScalarBlock:
SyckLevel *lvl = CURRENT_LEVEL();
int parentIndent = -1;
+ qstr[0] = '\0';
switch ( *yyt )
{
case '|': blockType = BLOCK_LIT; break;
@@ -2472,7 +2477,6 @@ ScalarBlock:
}
}
- qstr[0] = '\0';
YYTOKEN = YYCURSOR;
ScalarBlock2:
|
