CVE-2013-6393

Description

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

How to fix CVE-2013-6393

To remediate CVE-2013-6393, upgrade the affected package to a fixed version below.

• Debian/libyaml—upgrade to 0.1.4-3 or later
• Debian/libyaml—upgrade to 0.1.3-1+deb6u2 or later
• —upgrade to 0.41-4 or later
• —upgrade to 0.33-1+squeeze2 or later
• —upgrade to 0.2.3 or later

Is CVE-2013-6393 being exploited?

Moderate — EPSS is 7.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 0.1.4-3
• from 0, < 0.1.3-1+deb6u2
• from 0, < 0.41-4
• from 0, < 0.33-1+squeeze2
• from 0, < 0.2.3

References (26)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-6393
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-6393
• PATCHbitbucket.org/xi/libyaml
• WEBadvisories.mageia.org/MGASA-2014-0040.html
• WEB