| Package | libyaml-syck-perl |
|---|---|
| Version | 1.31-1+deb10u1 (buster), 1.29-1+deb9u1 (stretch) |
| Related CVEs | CVE-2025-11683 CVE-2026-4177 |
-
CVE-2025-11683
Missing null terminators in
token.cleads to but-of-bounds read which allows adjacent variable to be read. The issue is seen with complex YAML files with a hash of all keys and empty values. -
CVE-2026-4177
Several security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated
n->type_idin place, corrupting shared node data. A memory leak occurred insyck_hdlr_add_anchorwhen a node already had an anchor. The incoming anchor string'a'was leaked on early return.
For Debian 10 buster, these problems have been fixed in version 1.31-1+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 1.29-1+deb9u1.
We recommend that you upgrade your libyaml-syck-perl packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.