860617 – (CVE-2013-6393) VUL-0: CVE-2013-6393: libyaml: heap based buffer overflow due to integer misuse

Bug 860617 (CVE-2013-6393) - VUL-0: CVE-2013-6393: libyaml: heap based buffer overflow due to integer misuse

Summary: VUL-0: CVE-2013-6393: libyaml: heap based buffer overflow due to integer misuse

Status:	RESOLVED FIXED

Alias:	CVE-2013-6393

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-04-03
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp2:56580 maint...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-27 16:44 UTC by Alexander Bergmann
Modified:	2016-04-17 15:08 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-01-27 16:44:42 UTC

CRD: Jan 27th 2014 after 1600 UTC.

> This is a heads-up on an embargoed security issue in libyaml found by
> Florian Weimer of the Red Hat Product Security Team.
> 
> This issue can be considered public on Jan 27th 2014 after 1600 UTC.
> 
> A heap based buffer overflow due to integer misuse maybe triggered when
> parsing large yaml documents.
> 
> Please see the attached patches for details.

Comment 1 Alexander Bergmann 2014-01-27 16:47:37 UTC

Created attachment 575985 [details]
CVE-2013-6393-string-overflow.patch

Comment 2 Alexander Bergmann 2014-01-27 16:48:17 UTC

Created attachment 575987 [details]
CVE-2013-6393-node-id-hardening.patch

Comment 3 Alexander Bergmann 2014-01-27 16:49:06 UTC

Created attachment 575988 [details]
CVE-2013-6393-indent-column-overflow.patch

Comment 4 Alexander Bergmann 2014-01-27 16:59:53 UTC

libyaml lives inside the SDK so only openSUSE seems to be affected.

I couldn't find Cristian Rodriguez inside the Novell phonebook so I've added his opensuse.org address to the CC list.

Comment 6 Alexander Bergmann 2014-01-28 07:31:23 UTC

Created attachment 576077 [details]
Updated libyaml-indent-column-overflow.patch

Comment 7 Swamp Workflow Management 2014-01-28 23:00:14 UTC

bugbot adjusting priority

Comment 9 Jordi Massaguer 2014-02-07 14:58:47 UTC

I've already submitted the fixes for openSUSE 12.3 and 13.1

Comment 10 Bernhard Wiedemann 2014-02-07 15:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (860617) was mentioned in
https://build.opensuse.org/request/show/221258 12.3 / libyaml
https://build.opensuse.org/request/show/221259 13.1 / libyaml

Comment 13 Bernhard Wiedemann 2014-02-07 17:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (860617) was mentioned in
https://build.opensuse.org/request/show/221285 Factory / libyaml

Comment 14 Swamp Workflow Management 2014-02-19 09:44:03 UTC

The SWAMPID for this issue is 56289.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-05.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 15 Swamp Workflow Management 2014-02-21 17:07:10 UTC

openSUSE-SU-2014:0272-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 860617
CVE References: CVE-2013-6393
Sources used:
openSUSE 13.1 (src):    libyaml-0.1.4-2.4.1
openSUSE 12.3 (src):    libyaml-0.1.3-11.4.1

Comment 16 Swamp Workflow Management 2014-02-21 18:04:20 UTC

openSUSE-SU-2014:0273-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 860617
CVE References: CVE-2013-6393
Sources used:
openSUSE 11.4 (src):    libyaml-0.1.3-6.1

Comment 17 Marcus Meissner 2014-03-05 10:05:26 UTC

QA spotted this redhat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6393

Original report from Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738587

===
The patch libyaml-indent-column-overflow-v2.patch applied for the
update to address CVE-2013-6393 introduces a regression which can be
seen when parsing a small YAML sample file with the tests/run-parser.c
utility:

----cut---------cut---------cut---------cut---------cut---------cut-----
%YAML 1.1
--- # Indented Block
  name: John Smith
  age: 33
--- # Inline Block
{name: John Smith, age: 33}
----cut---------cut---------cut---------cut---------cut---------cut-----

Compiling run-parser.c in the source and run against this YAML file
leads with the patch applied to:

# ./run-parser ./regression.yaml 
[1] Parsing './regression.yaml': FAILURE (9 events)

Upstream indeed has addressed this part slightly different, with [1]
and [2].

 [1] https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
 [2] https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
===

Comment 18 Marcus Meissner 2014-03-05 14:10:52 UTC

Jordi, the udpate was rejected ... can you redo the packages ... perhaps with the upstream fix now instead of the other one?

Comment 19 Swamp Workflow Management 2014-03-17 09:04:22 UTC

openSUSE-SU-2014:0381-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 860617
CVE References: CVE-2013-6393
Sources used:
openSUSE 13.1 (src):    libyaml-0.1.4-2.8.1
openSUSE 12.3 (src):    libyaml-0.1.3-11.8.1

Comment 22 Swamp Workflow Management 2014-03-19 19:49:55 UTC

Update released for: libyaml-0-2
Products:
SLE-STUDIOONSITE 1.3 (x86_64)
SUSE-MANAGER 1.7 (x86_64)

Comment 23 Swamp Workflow Management 2014-03-19 23:04:39 UTC

SUSE-SU-2014:0403-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 860617
CVE References: CVE-2013-6393
Sources used:
SUSE Studio Onsite 1.3 (src):    libyaml-0.1.3-0.10.10.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    libyaml-0.1.3-0.10.10.1

Comment 24 SMASH SMASH 2014-03-20 06:10:14 UTC

Affected packages:

SLE-11-SP2-PRODUCTS: libyaml

Comment 25 Swamp Workflow Management 2014-03-20 06:25:50 UTC

The SWAMPID for this issue is 56726.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 26 Swamp Workflow Management 2014-03-27 08:45:39 UTC

Update released for: libyaml, libyaml-0-2
Products:
SUSE-CLOUD 3.0 (x86_64)

Comment 27 Swamp Workflow Management 2014-03-27 08:46:30 UTC

Update released for: libyaml, libyaml-0-2, libyaml-debuginfo, libyaml-debugsource, libyaml-devel
Products:
SLE-STUDIOONSITE 1.3 (x86_64)
SUSE-MANAGER 1.7 (x86_64)

Comment 28 Swamp Workflow Management 2014-03-27 12:04:24 UTC

SUSE-SU-2014:0456-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 860617,868944
CVE References: CVE-2013-6393,CVE-2014-2525
Sources used:
SUSE Studio Onsite 1.3 (src):    libyaml-0.1.3-0.10.12.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    libyaml-0.1.3-0.10.12.1
SUSE Cloud 3 (src):    libyaml-0.1.3-0.10.12.1

Comment 30 Bernhard Wiedemann 2014-03-29 14:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (860617) was mentioned in
https://build.opensuse.org/request/show/228178 Factory / libyaml

Comment 33 Bernhard Wiedemann 2015-02-10 12:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (860617) was mentioned in
https://build.opensuse.org/request/show/285086 13.2+13.1 / perl-YAML-LibYAML

Comment 34 Swamp Workflow Management 2015-02-18 16:05:17 UTC

openSUSE-SU-2015:0319-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 751503,860617,868944,907809,911782
CVE References: CVE-2012-1152,CVE-2013-6393,CVE-2014-2525,CVE-2014-9130
Sources used:
openSUSE 13.2 (src):    perl-YAML-LibYAML-0.59-2.4.1
openSUSE 13.1 (src):    perl-YAML-LibYAML-0.59-6.4.1

Comment 36 Swamp Workflow Management 2015-05-27 15:05:46 UTC

SUSE-SU-2015:0953-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 860617,868944,907809,911782
CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130
Sources used:
SUSE Linux Enterprise Server 12 (src):    perl-YAML-LibYAML-0.38-10.1

Comment 37 Swamp Workflow Management 2015-05-27 16:05:26 UTC

SUSE-SU-2015:0953-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 860617,868944,907809,911782
CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130
Sources used:
SUSE Linux Enterprise Server 12 (src):    perl-YAML-LibYAML-0.38-10.1
SUSE Linux Enterprise Desktop 12 (src):    perl-YAML-LibYAML-0.38-10.1

Comment 38 Swamp Workflow Management 2016-04-17 15:08:10 UTC

openSUSE-SU-2016:1067-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 860617,868944,907809,911782
CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130
Sources used:
openSUSE Leap 42.1 (src):    perl-YAML-LibYAML-0.38-4.1