!45 [sync] PR-37: fix CVE-2024-3205

From: @openeuler-sync-bot 
Reviewed-by: @znzjugod 
Signed-off-by: @znzjugod

backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch

@@ -0,0 +1,52 @@
+From ff577b94511f9fc314435a1154f1124dccbe57ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
+Date: Mon, 8 Apr 2024 23:32:52 +0200
+Subject: [PATCH] Fix emitter states handling when write_indicator fails
+
+There are cases where yaml_emitter_write_indicator fails.
+In that case POP is called on emitter->indents but not on emitter->states,
+which results in a leftover event in the stack, and later POP is called
+on an empty emitter->indents stack.
+
+This commit does not fix the case of the failing yaml_emitter_write_indicator.
+This is still investigated.
+---
+ src/emitter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/emitter.c b/src/emitter.c
+index 609b28a4..0aca6c34 100644
+--- a/src/emitter.c
++++ b/src/emitter.c
+@@ -759,6 +759,7 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+     {
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
++        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -767,7 +768,6 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }
+@@ -808,6 +808,7 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+             return 0;
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
++        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -816,7 +817,6 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "}", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }

backport-Improve-CMake-build-system.patch

@@ -0,0 +1,141 @@
+From fe3d086fa75a289d6e4085df6f855f4c88c8d7c2 Mon Sep 17 00:00:00 2001
+From: Jean-Christophe Fillion-Robin <jchris.fillionr@kitware.com>
+Date: Thu, 30 Nov 2017 08:14:27 -0500
+Subject: [PATCH] Improve CMake build system
+
+New build options
+-----------------
+
+* Add option BUILD_TESTING by default ON
+See https://cmake.org/cmake/help/v2.8.12/cmake.html#module:CTest
+
+* Simplify library type selection using standard option BUILD_SHARED_LIBS
+See https://cmake.org/cmake/help/v3.0/variable/BUILD_SHARED_LIBS.html
+
+yamlConfig.cmake
+----------------
+
+* Generate and install yamlConfig.cmake, yamlConfigVersion.cmake and yamlTargets.cmake
+
+* Bump CMake version and explicitly associate include dirs with targets
+See https://cmake.org/cmake/help/v3.0/manual/cmake-buildsystem.7.html#include-directories-and-usage-requirements
+
+* Ensure building against libyaml using "find_package(yaml)" uses expected compile options: Set HAVE_CONFIG_H
+as private compile option, YAML_DECLARE_STATIC as public
+
+Testing
+-------
+
+* Build all examples from "tests" directory
+
+CMake Best practices
+--------------------
+
+* configure "config.h" based on version info found in CMakeLists.txt
+
+* Ensure buildsystem re-generation listing sources (best-practice)
+
+It is not recommended to use GLOB to collect a list of source files from
+the source tree. If no CMakeLists.txt file changes when a source is added
+or removed then the generated build system cannot know when to ask CMake
+to regenerate.
+
+See https://cmake.org/cmake/help/v3.8/command/file.html
+
+Compilation warnings
+--------------------
+
+* Set _CRT_SECURE_NO_WARNINGS if building using VisualStudio
+
+This will avoid warnings like this one:
+
+```
+C:\projects\libyaml\tests\run-emitter.c(268): warning C4996: 'fopen':
+This function or variable may be unsafe. Consider using fopen_s instead.
+To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for
+details.
+```
+
+Continuous Integration
+----------------------
+
+* travis: Install CMake >= 3.x using scikit-ci-addons
+
+* Add comments to appveyor.yml and run-tests.sh
+---
+ cmake/config.h.in    |   4 ++
+ tests/CMakeLists.txt |  27 +++++++
+ yamlConfig.cmake.in  |  16 +++++
+ 3 files changed, 47 insertions(+), 0 deletions(-)
+ create mode 100644 cmake/config.h.in
+ create mode 100644 tests/CMakeLists.txt
+ create mode 100644 yamlConfig.cmake.in
+
+diff --git a/cmake/config.h.in b/cmake/config.h.in
+new file mode 100644
+index 0000000..51e2e24
+--- /dev/null
++++ b/cmake/config.h.in
+@@ -0,0 +1,4 @@
++#define YAML_VERSION_MAJOR @YAML_VERSION_MAJOR@
++#define YAML_VERSION_MINOR @YAML_VERSION_MINOR@
++#define YAML_VERSION_PATCH @YAML_VERSION_PATCH@
++#define YAML_VERSION_STRING "@YAML_VERSION_STRING@"
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+new file mode 100644
+index 0000000..d10b424
+--- /dev/null
++++ b/tests/CMakeLists.txt
+@@ -0,0 +1,27 @@
++
++function(add_yaml_executable name)
++  add_executable(${name} ${name}.c)
++  target_link_libraries(${name} yaml)
++endfunction()
++
++foreach(name IN ITEMS
++  example-deconstructor
++  example-deconstructor-alt
++  example-reformatter
++  example-reformatter-alt
++  run-dumper
++  run-emitter
++  run-emitter-test-suite
++  run-loader
++  run-parser
++  run-parser-test-suite
++  run-scanner
++  test-reader
++  test-version
++  )
++  add_yaml_executable(${name})
++endforeach()
++
++add_test(NAME version COMMAND test-version)
++add_test(NAME reader COMMAND test-reader)
++
+diff --git a/yamlConfig.cmake.in b/yamlConfig.cmake.in
+new file mode 100644
+index 0000000..dd3f8ee
+--- /dev/null
++++ b/yamlConfig.cmake.in
+@@ -0,0 +1,16 @@
++# Config file for the yaml library.
++#
++# It defines the following variables:
++#   yaml_LIBRARIES    - libraries to link against
++
++@PACKAGE_INIT@
++
++set_and_check(yaml_TARGETS "@PACKAGE_CONFIG_DIR_CONFIG@/yamlTargets.cmake")
++
++if(NOT yaml_TARGETS_IMPORTED)
++  set(yaml_TARGETS_IMPORTED 1)
++  include(${yaml_TARGETS})
++endif()
++
++set(yaml_LIBRARIES yaml)
++
+-- 
+2.27.0
+

fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch

@@ -0,0 +1,26 @@
+From 7015a5e99fecc195e36f2334b046b19abfc718c1 Mon Sep 17 00:00:00 2001
+From: panxiaohe <panxh.life@foxmail.com>
+Date: Mon, 18 Apr 2022 15:26:11 +0800
+Subject: [PATCH] fix heap buffer overflow in
+ yaml_emitter_emit_flow_mapping_key
+
+---
+ src/emitter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/emitter.c b/src/emitter.c
+index 609b28a..a9f39ec 100644
+--- a/src/emitter.c
++++ b/src/emitter.c
+@@ -806,6 +806,8 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+ 
+     if (event->type == YAML_MAPPING_END_EVENT)
+     {
++        if (STACK_EMPTY(emitter, emitter->indents))
++            return 0;
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
+         if (emitter->canonical && !first) {
+-- 
+1.8.3.1
+

libyaml.spec

@@ -1,22 +1,29 @@
 Name:       libyaml
 Version:    0.2.5
-Release:    1
+Release:    6
 Summary:    A C library for parsing and emitting YAML
 License:    MIT
-URL:        http://pyyaml.org/
-Source0:    http://pyyaml.org/download/libyaml/yaml-%{version}.tar.gz
+URL:        https://github.com/yaml/libyaml
+Source0:    https://github.com/yaml/libyaml/releases/download/%{version}/yaml-%{version}.tar.gz
+
+Patch0:     fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch 
+Patch1:     backport-Improve-CMake-build-system.patch
+Patch2:     backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
 
 BuildRequires:  gcc
 
 %description
-${summary}.
+YAML is a data serialization format designed for human readability and
+interaction with scripting languages.  LibYAML is a YAML parser and
+emitter written in C.
 
 %package devel
 Summary:   Development files for LibYAML applications
 Requires:  libyaml = %{version}-%{release}, pkgconfig
 
 %description devel
-%{summary}.
+The %{name}-devel package contains libraries and header files for
+developing applications that use LibYAML.
 
 %package help
 Summary:    Documents for using LibYAML
@@ -67,6 +74,22 @@ make check
 
 
 %changelog
+* Thu Apr 25 2024 fuanan <fuanan3@h-partners.com> - 0.2.5-6
+- fix CVE-2024-3205
+
+* Sat May 27 2023 fuanan <fuanan3@h-partners.com> - 0.2.5-5
+- Support cmake build system
+- Modify URL and Source0
+
+* Fri Nov 18 2022 chenziyang <chenziyang4@huawei.com> - 0.2.5-4
+- Fix heap buffer overflow in yaml_emitter_emit_flow_sequence_item
+
+* Mon Apr 18 2022 panxiaohe <panxh.life@foxmail.com> - 0.2.5-3
+- fix heap buffer overflow in yaml_emitter_emit_flow_mapping_key
+
+* Wed Feb 23 2022 fuanan <fuanan3@h-partners.com> - 0.2.5-2
+- fix typo in spec
+
 * Mon Jul 27 2020 Hugel <gengqihu1@huawei.com> - 0.2.5-1
 - update to 0.2.5